- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 22 Feb 2012 15:27:02 +0100
- To: Willy Tarreau <w@1wt.eu>
- CC: Robert Collins <robertc@squid-cache.org>, Barry Leiba <barryleiba@computer.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 2012-02-22 15:02, Willy Tarreau wrote: > On Wed, Feb 22, 2012 at 02:37:44PM +0100, Julian Reschke wrote: >>> 403 is quite a common error where WAF products are deployed, and it >>> would have a disastrous effect if it would cause an automatic logout. >> >> That's why I suggested that the server decides by including the >> necessary client side JS code... > > I think that sometimes the server wants to cause the logout (eg: application > status code) and sometimes the user wants to log off. Many web developers The server can send code that allows the user to make the decision. > working in environments where basic auth is in use are used to open/close > their browser all the day due to the lack of logoff button. And in future there may be browsers that can not be closed at all. >>> That said, I totally agree with you that if we could get the browsers >>> include the logout method, we could start from a cleaner ground to >>> propose more reliable and user-friendly solutions even in 1.1. Maybe >>> we should consider that this feature exists and see what we can build >>> based on that assumption ? >> >> Maybe. >> >> My impression is that every time this topic comes up people compile a >> large list of things-that-absolutely-need-to-be-done, and in the end >> nothing ever happens because that list is too long, and there's >> disagreement what should be on the list. > > I'm not surprized. In fact, I tend to prefer basic building blocks on top > of which other things may be build, but right now it's obvious that some > such blocks are missing. > >> I think there's rough consensus that to make HTTP authentication work >> better in practice, servers need to be able to logout the user. As far >> as I can tell, a straightforward way to do so is to have a browser API >> for that. It's a shame there's no progress on that. > > If we had the browsers provide the logoff button, then the current 403 > is already enough for user-initiated action. If we want the server to Browsers will not add any new UI components without a very strong use case. That's why adding the button to he page *content* will work much better. > force a logoff, we possibly need to define how this is supposed to be > done. Note that in this case it's a change of authentication, which is > different from a lack of authorization (eg: return 401 with an empty > www-authenticate response). When I say logout I mean "stop sending credentials until prompted again". > I do think that all of that might be defined in 1.1 without touching > the in-browser API if browser vendors collaborate ; we just have to > define how it should work and still be compatible with non-compliant > browsers (possibly that returning 401 without a www-authenticate header > has no negative effect on older browsers, I'm just suggesting). > > It would be nice to have their opinion here. Patrick, Anne, any idea ? > We also need to keep in mind there are non-browser UAs. Maybe Daniel > has some useful ideas based on how curl handles 401. > > Regards, > Willy Best regards, Julian
Received on Wednesday, 22 February 2012 14:27:49 UTC