W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
Date: Thu, 25 Feb 2010 18:23:12 +0000
Message-ID: <4B86C010.5040908@manchester.ac.uk>
To: Tim <tim-projects@sentinelchicken.org>
CC: Bil Corry <bil@corry.biz>, ietf-http-wg@w3.org
Hello Tim,

Tim wrote:
> Bil,
> 
> I've taken your trick for log outs and combined it with a few other
> tricks to build a sample application which achieves login, logout, and
> password changes all without the traditional HTTP authentication
> prompt.  Take a peek:
> 
>   http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip
> 
> It seems to work well in IE 6, 7, and 8, as well as Firefox, Chrome,
> and Safari.  It still doesn't work in Opera, but I think that's a lost
> cause until the proposed W3C standard is adopted.  That standard, if
> adopted, would also make this code a lot simpler for other browsers.
> I haven't tested it in other browsers, besides these top 5.


There was a similar discussion on rest-discuss a few days ago:
http://tech.groups.yahoo.com/group/rest-discuss/message/14856

Alan Dean was looking for something that would work with Digest auth. I 
just don't see that being possible with the current XMLHttpRequest 
specifications (since you can't specify Digest premptively).

Although it's slightly out of context, here is what I replied off-list 
later on too:
> 
> Unfortunately, I think you're going to have to use a popup or a form/cookie.
> 
> There's an HTTP Cookie auth draft that might help, but it doesn't seem to have gathered much momentum. Even if it did (from the spec point of view), getting it implemented across the board seems tough (it's hard to explain why do this when people use cookies and it works in most cases). REST advocates understand what the problem is, but generally, I suspect most developers don't.
> 
> You might be able to put that AJAX form in the entity associated with the initial 401 response (and get away with a missing WWW-Authenticate with most browsers).
> From there making it use Digest for the first request sounds doable, but quite hard for subsequent (non-AJAX) requests.
> 
> I generally wish there was a "WWW-Authenticate: Form" mechanism (or some form of security token, or cookie like this IETF draft), but for this to be effective, it would need to be implemented in major browsers.
> I've also tried to suggest a "WWW-Authenticate: Transport" (or some other name), mainly for TLS client certificate authentication, but it didn't go very far (I'd need to improve the idea). 


It seems there's a discussion in the HTML5 WG about accessing cookies 
from HTML, but I haven't followed it. I'm not sure how good an idea this 
is. Such mechanism could enable AJAX forms to set the authentication 
cookie/token perhaps.
I'd prefer a solution that has a clearly separated authentication scheme 
(rather than using 'Cookies' at all, have a separate authentication 
token store in the browser, capable of login/logout), but the 
'WWW-Authenticate: Cookie' scheme seems it could be a reasonable compromise.


> In any case, I think it shows how this is possible even now with
> current browser limitations, but I still feel strongly that an
> HTTP-level log out mechanism is needed for those without JavaScript.

I'm not sure being able to log out from Basic/Digest auth is an HTTP 
issue; it sounds more like a issue of browser interface and/or 
interaction between the webpage and the browser's handling of 
authentication: HTML 5 might be a good place to discuss this.
I do think, however, that there's room for new "WWW-Authenticate" 
schemes: something for 'Cookies' (or generic auth token) and something 
for 'Transport' (to indicate that the authentication is done out of the 
HTTP scope, e.g. via the underlying SSL/TLS stack).


Best wishes,

Bruno.
Received on Thursday, 25 February 2010 18:23:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT