W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 01 Mar 2012 13:19:30 +1300
To: <ietf-http-wg@w3.org>
Message-ID: <8006b39ebcca730ad54ae266dfd1de79@treenet.co.nz>
On 01.03.2012 12:04, Henrik Nordström wrote:
> tor 2012-03-01 klockan 09:14 +1300 skrev Adrien de Croy:
>> > Not sure there even is a demand for protocol level indicated 
>> logoff
>> > where the server at HTTP level tell the client to invalidate the 
>> cached
>> > credentials.
>>
>> Actually I would like to see this.
>>
>> For example product admin back-ends which use http auth. We'd like 
>> to be
>> able to time out a user so someone else coming along (if the first 
>> user
>> didn't close the browser) doesn't gain access to things they 
>> shouldn't.
>
> Yes. Applications need the ability to time out sessions.
>
> Which begs the question, is that auth framework or scheme?
>
> digest auth can already be used in this manner by tracking server
> nonce(s) or opaque, and forcing a 401 stale=false response if the
> session have been timed out on the server side.

Basic auth can do this in a limited way by using a nonce token instead 
of a password. The server rejecting with 401 the old "password" after a 
timeout. Requiring a new random or cyclic one to be sent by the client.

AYJ
Received on Thursday, 1 March 2012 00:19:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT