- From: Scott Lawrence <lawrence@agranat.com>
- Date: Fri, 13 Feb 1998 15:19:22 -0500 (EST)
- To: Jim Gettys <jg@pa.dec.com>
- Cc: Koen Holtman <koen@win.tue.nl>, http-wg@cuckoo.hpl.hp.com, http-wg@hplb.hpl.hp.com
On Fri, 13 Feb 1998, Jim Gettys wrote: > Here's my revision, given Ted and Koen's comments... > - Jim > > 15.6 Authentication Credentials and Idle Clients > > Existing HTTP clients and user agents typically retain authentication > information indefinately. HTTP/1.1. does not provide a method for an origin > server or proxy to force reauthentication. Since clients may be idle for > extended periods between use (and unauthorized users may have access to > the user agent during these idle periods), this is a significant defect > that requires further extensions to HTTP. This is currently under separate > study. For user agents, there are a number of work-arounds to parts of > this problem, and we enourage the use of password protection in screen > savers, idle time-outs, and other methods which mitigate the security > problems inherent in this problem. I believe that the problem is somewhat more general than reauthentication. There are times when the web application developer would like to force the client to discard credentials whether or not they should then be reaquired. The simplest example is the often-asked question: "How do I get the browser to discard the credentials when the user presses my 'logout' form submit button?". We've been going back and forth on the http-ext list about whether this is the same requirement or not...
Received on Friday, 13 February 1998 12:21:21 UTC