W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Thu, 01 Mar 2012 00:04:49 +0100
Message-ID: <1330556689.24673.119.camel@home.hno.se>
To: Adrien de Croy <adrien@qbik.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
tor 2012-03-01 klockan 09:14 +1300 skrev Adrien de Croy:
> > Not sure there even is a demand for protocol level indicated logoff
> > where the server at HTTP level tell the client to invalidate the cached
> > credentials.
> 
> Actually I would like to see this.
> 
> For example product admin back-ends which use http auth. We'd like to be 
> able to time out a user so someone else coming along (if the first user 
> didn't close the browser) doesn't gain access to things they shouldn't.

Yes. Applications need the ability to time out sessions.

Which begs the question, is that auth framework or scheme?

digest auth can already be used in this manner by tracking server
nonce(s) or opaque, and forcing a 401 stale=false response if the
session have been timed out on the server side.

Regards
Henrik
Received on Wednesday, 29 February 2012 23:05:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT