W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

OT re HTTP auth disassocation of credentials

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 19 Sep 2011 16:18:34 +1200
Message-ID: <4E76C29A.60908@qbik.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Hi all

I know this is outside the WG charter, but I thought it could be topical 
in terms of recent discussions on authentication.

One of the failings (IMHO) of the HTTP auth as implemented by most 
browsers, is the impossibility of implementing a logout function in a 
web site which uses HTTP auth.

Since client browsers cache credentials (for obvious reasons), they will 
re-present cached creds for each new page if there's ever a 401 returned.

This means once you use HTTP authentication to establish creds with a 
site, you can't disassociate your browser from these creds without 
shutting it down.  In most cases, this involves shutting down every 
instance of your browser.

Compared with your typical website that uses cookie/session-based login, 
this seems like a fairly glaring omission.

So, what if there were some status code, or response header that could 
be used to tell a browser to clear the cached credentials for that 
site?  Then you could put up a link on your web page, call it logout, 
and when the user clicks it, you send back that status or header.  Then 
the client unlearns the creds so that the next auth challenge from that 
site results in a login dialog in the client.


Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 beta out now - http://www.wingate.com/getlatest/
Received on Monday, 19 September 2011 04:19:10 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:58 UTC