- From: Timothy Holborn <timothy.holborn@gmail.com>
- Date: Mon, 12 May 2014 18:40:07 +1000
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: "henry.story@bblfish.net" <henry.story@bblfish.net>, "public-webid@w3.org" <public-webid@w3.org>
Sent from my iPad > On 12 May 2014, at 5:32 pm, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > >> On 2014-05-07 11:48, henry.story@bblfish.net wrote: >>> On 7 May 2014, at 08:42, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: >>> >>> I don't claim knowing everything so please bear with me when I ask a simple question :-) >>> >>> Using JBoss and Tomcat (java-based) servers an HTTPS Client Certificate Authenticated >>> session created from a browser *never terminates* regardless of session time-out settings >>> because the TLS session has no link into the Java Servlet web session framework. >>> >>> Due to this neither manual logout or automatic logout work in such setups. >>> >>> Q1: how do other web-servers enforce logout from the server-side? >>> Q2: if other web-servers actually can do this, does this require TCP terminate? >>> Q3: if other web-servers actually can do this, logout works formost/all browsers without specific measures? >> As far as I can tell a server cannot force logout of the client, since the browsers tend to resend the same certificate >> to the server. You can only do this with Firefox which has a Javascript logout call currently. In my view login/logout >> has to be handled by the client in the chrome. > > This is a unique problem for HTTPS Client Certificate Authentication; no other authentication > method needs modifications of the chrome in order to perform logout or requires the client > to support session timeout policies. > > I can though imagine a chrome-based identity context but it should be optional and universal. > It should probably also address logout to *all* enabled sites that you have encountered > during your session on the web. > IMHO Not if it's used to ID IoT rather than foaf... Still helps to define a specific IoT device, connected to specific authorised foafs... Type 1 auth - user profile set for IoT x509 cert Type 2 - user profile new to IoT x509 cert Diff. On rww.io (etc); secondary tls inc. Foaf between cloud storage & app? Not sure. Theory is foaf lives on cloud account, not browser auth. To cloud rww storage... > Anders > >> >> This has been identitified as a key improvement browser manufacturers need to make for privacy reasons. >> >> Henry >> >> >>> Anders >> Social Web Architect >> http://bblfish.net/ > >
Received on Monday, 12 May 2014 08:40:39 UTC