W3C home > Mailing lists > Public > www-tag@w3.org > September 2011

Re: Logging out from Facebook

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 26 Sep 2011 22:52:21 +0200
Cc: John Kemp <john@jkemp.net>, "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <A126270B-350D-4691-82FF-80D07CC64349@bblfish.net>
To: Bjoern Hoehrmann <derhoermi@gmx.net>

On 26 Sep 2011, at 20:38, Bjoern Hoehrmann wrote:

> * John Kemp wrote:
>> The problem is that users (whether laymen or IT professionals) expect
>> that when they click 'logout' or 'remove my cookies', their 'session'
>> state with that site is removed. I certainly have that expectation too.
>> After all, a session should be a session. Not some indefinite period of
>> time. What is the valid need for 'client state' when the client is not
>> working on my behalf at the server (ie. I am logged-in at that site?)
> 
> So the state information can be used during the next sign-in. Martin J.
> Dürst already noted retaining the user's locale to present the sign-in
> page in the user's preferred language. Another use would be logging the
> user out more aggressively when the user signs in using an unfamiliar
> browser like from an Internet Cafe. Note that you can turn this around
> and question setting cookies before the user logs in or does something
> else that indicates the user would like state to be maintained (adding
> something to a shopping cart for instance). The only difference is that
> the data can be associated with the account more easily and accurately.

You could allow that, and have an anonymousisch state, which the user could then name after a while if he wishes, allowing him then always to create another shorter lived anonymousich state - and so allowing him to see what the difference is in the way he is served. 

But if we look at the bigger security picture - not just cookies - but allow our gaze now to move to transport layer security (TLS), we will notice that that too will work a lot better if a good UI is given to the user where he can select his certificate. It happens to be very difficult to do TLS logout from the server, since the browsers send the same certificates again and again. There are a few tricks to get client certificate logout to work in Firefox and Internet Explorer using javascript, but really the correct place to put this functionality is in a clear, consistent and well understood, highly visible place in the browser chrome. 

This is the argument developed in "The WebID protocol and Browsers" referred to earlier in this thread

  http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_22/webid.html

And we point from there to the prototypes put together by Aza Raskin
  
   http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

I don't think this is a problem either for web servers or for clients. It is a question of control and transparency of state to the end user.


Henry

> -- 
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
> 

Social Web Architect
http://bblfish.net/
Received on Monday, 26 September 2011 20:52:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:39 GMT