W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: OT re HTTP auth disassocation of credentials

From: Willy Tarreau <w@1wt.eu>
Date: Sun, 25 Sep 2011 15:20:41 +0200
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20110925132041.GO8532@1wt.eu>
Hi Julian,

On Sun, Sep 25, 2011 at 03:06:04PM +0200, Julian Reschke wrote:
> >I think that the difficulty for browers is how to deal with multiple
> >parallel connections. If one of them returns "4XX logout" and others
> >still return 2xx or 3xx in response to some Authorization headers, it
> >may be confused. This probably means that the "4xx logout" should
> >cause an immediate flush of the cached credentials and that no window
> >of frame or connection may use a cached version of them. Maybe this is
> >already something simple for browsers, I don't know.
> >...
> But that's not different from today with logging out from sites using 
> cookie authentication, right?

I think it's slightly different because with a cookie, when the server
deletes it, it's not valid anymore. So even if the browser posts a few
requests with the recently deleted cookie, they will not be authenticated.
With user:passwd credentials, the logout is just an event at one point but
does not remove the credentials' validity. So the few possibly pending
requests which are sent with the credentials should not cause these
credentials to be used again afterwards. But I agree it's just a matter
of implementation.

> Speccing a 4xx status code seems to be quite simple, but I'll assume 
> most sites would be hesitant to use something for "logout" when there's 
> no simple way to find out whether the UA understood it.

That's a good point. In my experience, user:password auth was mostly
used on internal networks. The lack of logout feature is more a matter
of convenience than a real security issue because the population is
limited and clients are installed on machines that are more or less
associated to one user. So even if the UA ignores the 4xx, it's not
a bit deal.

There are also places where web developers waste a lot of time
connecting/disconnecting and constantly have to open/close the browser
because they're experimentating with different user profiles. I noticed
that with proxy auth too, where people validate URL filters, or have to
switch their profile. But here it should probably be a browser feature
and not a 4xx code.

Just my 2 cents,
Received on Sunday, 25 September 2011 13:21:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:58 UTC