W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Story Henry <henry.story@bblfish.net>
Date: Thu, 25 Feb 2010 17:23:14 +0100
Cc: Bil Corry <bil@corry.biz>, Yutaka OIWA <y.oiwa@aist.go.jp>, Working Group HTTP <ietf-http-wg@w3.org>, Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
Message-Id: <35138D4A-E363-432E-9711-DFE53465B64B@bblfish.net>
To: Tim <tim-projects@sentinelchicken.org>
On the same note.

What would really help for the foaf+ssl [1] RESTful distributed authentication system, would
be if we could somehow push browser vendors to improve their ssl stack - and part of 
this may require tying ssl more closely to HTTP - so that they don't automatically
send an SSL certificate once a user has connected to a site. Currently browsers such as
firefox require a restart before they ask you which certificate you wish to choose.
 
 One suggestion is that one should be able to see what client certificate has been used
when connecting to a web site, so that one could change it

   http://blogs.sun.com/bblfish/entry/identity_in_the_browser_firefox

The advantage of foaf+ssl over the traditional HTTP login is that it does not even require
a username or password on the part of the user, without any of the traditional problems associated with certificates, as the certs are self signed.

	Henry
  
[1] http://esw.w3.org/topic/foaf+ssl

On 31 Jan 2010, at 04:39, Tim wrote:

> Bil,
> 
>> Here's an example of using AJAX to log out a user via HTTP Auth:
>> 
>> 	http://www.corry.biz/logout_demo/
> 
> Oh, nice, I hadn't thought of this before.  To summarize, you just set
> up a page within the protection space which always returns a 200 code
> and then access it via XMLHttpRequest with a bogus password.  What
> browsers have you tested this on?
> 
> So it appears with logins and logouts, AJAX + response code hacks are
> possible to make this work right now.  I still think an HTTP-level
> session termination mechanism is worthwhile for user agents that don't
> want to rely on JavaScript, but for most developers, this could be the
> missing piece to make HTTP auth usable again.
> 
> thanks!
> tim
> 
Received on Thursday, 25 February 2010 16:23:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT