W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 22 Feb 2012 15:02:49 +0100
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Robert Collins <robertc@squid-cache.org>, Barry Leiba <barryleiba@computer.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20120222140249.GB24811@1wt.eu>
On Wed, Feb 22, 2012 at 02:37:44PM +0100, Julian Reschke wrote:
> >403 is quite a common error where WAF products are deployed, and it
> >would have a disastrous effect if it would cause an automatic logout.
> 
> That's why I suggested that the server decides by including the 
> necessary client side JS code...

I think that sometimes the server wants to cause the logout (eg: application
status code) and sometimes the user wants to log off. Many web developers
working in environments where basic auth is in use are used to open/close
their browser all the day due to the lack of logoff button.

> >That said, I totally agree with you that if we could get the browsers
> >include the logout method, we could start from a cleaner ground to
> >propose more reliable and user-friendly solutions even in 1.1. Maybe
> >we should consider that this feature exists and see what we can build
> >based on that assumption ?
> 
> Maybe.
> 
> My impression is that every time this topic comes up people compile a 
> large list of things-that-absolutely-need-to-be-done, and in the end 
> nothing ever happens because that list is too long, and there's 
> disagreement what should be on the list.

I'm not surprized. In fact, I tend to prefer basic building blocks on top
of which other things may be build, but right now it's obvious that some
such blocks are missing.

> I think there's rough consensus that to make HTTP authentication work 
> better in practice, servers need to be able to logout the user. As far 
> as I can tell, a straightforward way to do so is to have a browser API 
> for that. It's a shame there's no progress on that.

If we had the browsers provide the logoff button, then the current 403
is already enough for user-initiated action. If we want the server to
force a logoff, we possibly need to define how this is supposed to be
done. Note that in this case it's a change of authentication, which is
different from a lack of authorization (eg: return 401 with an empty
www-authenticate response).

I do think that all of that might be defined in 1.1 without touching
the in-browser API if browser vendors collaborate ; we just have to
define how it should work and still be compatible with non-compliant
browsers (possibly that returning 401 without a www-authenticate header
has no negative effect on older browsers, I'm just suggesting).

It would be nice to have their opinion here. Patrick, Anne, any idea ?
We also need to keep in mind there are non-browser UAs. Maybe Daniel
has some useful ideas based on how curl handles 401.

Regards,
Willy
Received on Wednesday, 22 February 2012 14:03:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT