W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 2001

Re: Logout

From: Dave Kristol <dmk@research.bell-labs.com>
Date: Tue, 2 Jan 2001 14:15:42 -0500 (EST)
Message-Id: <200101021915.OAA21597@aleatory.research.bell-labs.com>
To: erik@primedata.org
Cc: http-wg@cuckoo.hpl.hp.com
"Erik Aronesty" <erik@primedata.org> wrote:
  > Dear Sirs,
  > Is it required that user agents have a mechanism for expiring or forgetting
  > the passwords that are used to access HTTP servers?  IE: a "logout" button
  > for HTTP built-in authentication.
  > I imagine that this is the sort of requirement that HTTP people think that
  > this should be in the HTML group - and vice-versa.
  > However it is an embarrassing oversight in modern browsers.


You have touched on one of *my* hot buttons.  I have argued for such a
thing for, oh, about six years.  Obviously without success.  As you
guess, it's not an HTTP issue, having nothing really to do with the
*protocol*.  But it's also not an HTML issue, having nothing to do with
the content of pages.  Rather it's a user interface issue, and thus at
the discretion of the browser vendors.  And, for whatever reason, they
have never been interested in providing a way to discard passwords,
except to exit the browser.

I can think of two situations where such a feature would be *really*

1) When I'm trying to debug server-side authentication code, and I want
to force the browser I'm using to forget its passwords.

2) In an environment where machines are shared (college computer lab,
public library, Internet cafe), and I want to discard the passwords
I've entered before I leave the machine.

Similar reasoning would recommend a feature to discard all cookies, as
well, but that's another topic entirely. :-)

Dave Kristol
Received on Tuesday, 2 January 2001 19:17:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:16:36 UTC