Re: Logout from Erik Aronesty on 2001-01-02 (ietf-http-wg@w3.org from January to March 2001)

From: Erik Aronesty <erik@primedata.org>
Date: Tue, 2 Jan 2001 16:12:39 -0500
To: Scott Lawrence <slawrence@virata.com>
Cc: http-wg@cuckoo.hpl.hp.com
Message-ID: <197a01c07500$c1ad6530$cd4751d1@primedata.org>

> > the passwords that are used to access HTTP servers?  IE: a "logout"
button
> > for HTTP built-in authentication.
> >
> > I imagine that this is the sort of requirement that HTTP people think
that
> > this should be in the HTML group - and vice-versa.
> >
> > However it is an embarrassing oversight in modern browsers.
>
> One that some of us have tried hard to overcome, to no avail.  The
> basic problem is that the browser vendors have listened carefully to
> what thier customers want, and have heard loud and clear that they
> don't want to have to remember passwords.

Over 600 users have asked us within the last year how to "log out" of sites
such as etrade and daytek which use HTTP based authentication.

Browser customers don't want to remember passwords - however they want
a "logout button" as well.  This is not a paradox and there is no
inextricable reason why
browsers can't cache usr information but have a button for "clearing the
cache"

I think the real reason that this has not been done is because both major
browsers today have other agendas regarding network access and security.

Currently there is no way to clear the cache by having an HTTP server
request
it to be cleared - or by a user initiating the clearing of this information.
This
is a basic security leak - and should be plugged.

> Paul Leach of Microsoft and I attempted to provide a framework for a
> solution to this and some related problems in a submission to the
> W3C (User Agent Authentication Forms) in February of 1999:
>
>     http://www.w3.org/TR/1999/NOTE-authentform-19990203


However, this is a "forms based" solution which undermines digest
authentication
and other more "standard" forms of authentication - that have proved very
helpful
to developers of web applications.

Simply, there should be one line added to section 4.13

    ftp://ftp.isi.edu/in-notes/rfc2617.txt

"It is reccomended that the authenticating agent provide a set mechanisms
for
removing entries from the "password file" associated with a given realm, for
the purposes of logging out of a system."

And that's about all that's necessary.

I don't think it needs a whole RFC ... just an addendum to existing ones.

            - Erik

Received on Tuesday, 2 January 2001 13:10:06 UTC