W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: OT re HTTP auth disassocation of credentials

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 25 Sep 2011 15:06:04 +0200
Message-ID: <4E7F273C.4070503@gmx.de>
To: Willy Tarreau <w@1wt.eu>
CC: Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 2011-09-19 06:30, Willy Tarreau wrote:
> ...
> I agree, I've missed this a number of times too. In fact, I noticed that
> if you force the server to return 401 when presented the valid credentials,
> most browsers seem to forget the ones they used to cache. But this is
> terribly dirty, as the user receives a new pop-up where he's tempted to
> re-enter his credentials...
>
> I think that the difficulty for browers is how to deal with multiple
> parallel connections. If one of them returns "4XX logout" and others
> still return 2xx or 3xx in response to some Authorization headers, it
> may be confused. This probably means that the "4xx logout" should
> cause an immediate flush of the cached credentials and that no window
> of frame or connection may use a cached version of them. Maybe this is
> already something simple for browsers, I don't know.
> ...

But that's not different from today with logging out from sites using 
cookie authentication, right?

Speccing a 4xx status code seems to be quite simple, but I'll assume 
most sites would be hesitant to use something for "logout" when there's 
no simple way to find out whether the UA understood it.

Best regards, Julian
Received on Sunday, 25 September 2011 13:06:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:47 GMT