W3C home > Mailing lists > Public > www-html@w3.org > April 2000

Add timeouts for security to HTML

From: Sameer Ajmani <ajmani@chord.lcs.mit.edu>
Date: Wed, 19 Apr 2000 16:30:38 -0400
Message-Id: <200004192030.QAA12684@chord.lcs.mit.edu>
To: www-html@w3.org
I have a proposal for a feature to add to HTML; my apologies if it has
been proposed before:

Many sites have incorporated authentication mechanisms to guard clients'
private data.  The servers also time out client sessions to prevent (in
theory) the wrong people from using a client's browser session to access
private data.  Unfortunately, this doesn't data on the screen or remove
data from the client's cache.

I suggest an HTML tag that specifies when an object should "timeout":
the browser can "gray out" the classified object when the specified
amount of time has passed since the page was loaded from the server.
Alternately, the server could specify and expiration date for the
object.  The browser should also gray out classified objects on pages in
cache.

I'm not sure if such a scheme would be accepted as a feature or an
annoyance, but it should improve security.  Of course, this requires
that classified data be encrypted when stored on disk (and possibly in
memory as well).  Unfortunately, I'm not familiar enough with XHTML to
suggest a syntax, but it may be possible to use its event model to
schedule timeouts.

I'd appreciate any and all comments, and please let me know if this has
been suggested before (I checked the archives and didn;t find much).

Thanks,
--Sameer Ajmani
MIT Lab for Com Sci
ajmani@mit.edu
Received on Wednesday, 19 April 2000 16:30:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:43 GMT