W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Feb 2012 15:27:02 +0100
Message-ID: <4F44FB36.1010407@gmx.de>
To: Willy Tarreau <w@1wt.eu>
CC: Robert Collins <robertc@squid-cache.org>, Barry Leiba <barryleiba@computer.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 2012-02-22 15:02, Willy Tarreau wrote:
> On Wed, Feb 22, 2012 at 02:37:44PM +0100, Julian Reschke wrote:
>>> 403 is quite a common error where WAF products are deployed, and it
>>> would have a disastrous effect if it would cause an automatic logout.
>>
>> That's why I suggested that the server decides by including the
>> necessary client side JS code...
>
> I think that sometimes the server wants to cause the logout (eg: application
> status code) and sometimes the user wants to log off. Many web developers

The server can send code that allows the user to make the decision.

> working in environments where basic auth is in use are used to open/close
> their browser all the day due to the lack of logoff button.

And in future there may be browsers that can not be closed at all.

>>> That said, I totally agree with you that if we could get the browsers
>>> include the logout method, we could start from a cleaner ground to
>>> propose more reliable and user-friendly solutions even in 1.1. Maybe
>>> we should consider that this feature exists and see what we can build
>>> based on that assumption ?
>>
>> Maybe.
>>
>> My impression is that every time this topic comes up people compile a
>> large list of things-that-absolutely-need-to-be-done, and in the end
>> nothing ever happens because that list is too long, and there's
>> disagreement what should be on the list.
>
> I'm not surprized. In fact, I tend to prefer basic building blocks on top
> of which other things may be build, but right now it's obvious that some
> such blocks are missing.
>
>> I think there's rough consensus that to make HTTP authentication work
>> better in practice, servers need to be able to logout the user. As far
>> as I can tell, a straightforward way to do so is to have a browser API
>> for that. It's a shame there's no progress on that.
>
> If we had the browsers provide the logoff button, then the current 403
> is already enough for user-initiated action. If we want the server to

Browsers will not add any new UI components without a very strong use 
case. That's why adding the button to he page *content* will work much 
better.

> force a logoff, we possibly need to define how this is supposed to be
> done. Note that in this case it's a change of authentication, which is
> different from a lack of authorization (eg: return 401 with an empty
> www-authenticate response).

When I say logout I mean "stop sending credentials until prompted again".

> I do think that all of that might be defined in 1.1 without touching
> the in-browser API if browser vendors collaborate ; we just have to
> define how it should work and still be compatible with non-compliant
> browsers (possibly that returning 401 without a www-authenticate header
> has no negative effect on older browsers, I'm just suggesting).
>
> It would be nice to have their opinion here. Patrick, Anne, any idea ?
> We also need to keep in mind there are non-browser UAs. Maybe Daniel
> has some useful ideas based on how curl handles 401.
>
> Regards,
> Willy

Best regards, Julian
Received on Wednesday, 22 February 2012 14:27:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT