W3C home > Mailing lists > Public > public-xg-webid@w3.org > July 2011

RE: SSL Logout possibility in Javascript

From: Peter Williams <home_pw@msn.com>
Date: Wed, 27 Jul 2011 09:46:32 -0700
Message-ID: <SNT143-w45FBB6B286CFF94E298A9892350@phx.gbl>
To: <henry.story@bblfish.net>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
CC: "yngve@opera.com" <yngve@opera.com>


 And, if you have multiple tabs open, or multiple browser instances open, what happens? And, what happens for each browser vendor? (note IE and mozilla have VERY different models of SSL state and cookie management, across tabs and instances). If  instance of a session "duplicated" by ctrl-A at a second instance then the second browser instance engages in multuple new connections, spawned off that DUPLICATED SSL session, what happens when one does windows close in the first browser instance, on the pre-duplicated SSL Session? Try to do the harder use cases, not the trivial ones. ONe has to study tghe nature of https, and the way the SSL session/connection works - when supproting browser-specific hypermedia, auto-rendered img tags on https URIs under DOM processing, the javascript/css pipeline etc  From: henry.story@bblfish.net
Date: Wed, 27 Jul 2011 18:15:08 +0200
CC: yngve@opera.com
To: public-xg-webid@w3.org; public-identity@w3.org; tls@ietf.org
Subject: Re: SSL Logout possibility in Javascript



I have just played around with the javascript login/logout possibilities mentioned by Anders Rundgren. The javascript I am using is that the end. Note that I am using xhtml currently, so that may have its own side effects - i.e., perhaps things work better in plain html... I am trying to see if login also works with javascript. That would be very useful, because people can easily click on the cancel button of a certificate, and the browser then remembers that decision. So I am looking to see if one can then force a login again...
Here are some temporary conclusions with browsers I tried on OSX
Firefox 5.0.1
 - logout works - login works if clicking the cancel button. One has to go to a new web page though.
Safari 5.1
  - logout does not work with javascript   (but Safari does recognise TLS error codes sent, so that those can be used to logout - I have not tested this version though)
Chrome 13.0.782.99
  - logout does not work and neither does login
Opera 11.50   - login, logout: does not recognise the window.crypto object 
So that is good news. I guess that means we have Internet Explorer and Firefox we can easily logout with. Being able to log-in again as with Firefox in case a mistake is made is also very helpful.Are there some other tricks one can use perhaps?
//this is for xhtml//these functions are described here http://html5.creation.net/webcrypto-api/<script language="JavaScript" type="text/javascript"> <![CDATA[     function logout() {     if (document.all == null) // FF, Opera, etc        {                 alert('logout in ff,opera...')           if (window.crypto) window.crypto.logout();           else alert('no window.crypto')        }            else // MSIE 6+        {                 alert('logout in msie')            document.execCommand('ClearAuthenticationCache');        };          }     function login() {     if (document.all == null) // FF, Opera, etc        {                 alert('login in ff,opera...')           if (window.crypto) window.crypto.logout();            else alert('no window.crypto')        }            else // MSIE 6+        {                 alert('login in msie')            document.execCommand('ClearAuthenticationCache');        };          } ]]> </script>
Social Web Architect
http://bblfish.net/
 		 	   		  
Received on Wednesday, 27 July 2011 16:47:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 July 2011 16:47:00 GMT