W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: OT re HTTP auth disassocation of credentials

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 25 Sep 2011 14:58:01 +0200
Message-ID: <4E7F2559.6030707@gmx.de>
To: Eric Lawrence <ericlaw@exchange.microsoft.com>
CC: Bjoern Hoehrmann <derhoermi@gmx.net>, Karl Dubost <karld@opera.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2011-09-21 17:29, Eric Lawrence wrote:
> FWIW, IE6+ offers a script-accessible method for clearing the session-cached credentials, and both Chrome and Firefox have bugs filed to offer similar functionality. See the end of the post http://blogs.msdn.com/b/ieinternals/archive/2010/04/05/understanding-browser-session-lifetime.aspx
>
> One interesting scenario Microsoft ran into here recently is that the new "Metro-style" version of our browser cannot be "closed" in the usual way (its lifetime is controlled automatically). We settled upon having the closure of the last tab (which simply replaces the old tab with a new default tab) clear the authentication cache and session cookies, even though the browser itself does not close.
>
> -Eric

Interesting; thanks for the pointers.

It seems everybody agrees that something like this is needed, but most 
want something that is restricted to the current session.

Eric, Karl: you represent two browser vendors, maybe you could chat, and 
come up with a joint proposal?

Best regards, Julian
Received on Sunday, 25 September 2011 12:58:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:47 GMT