Re: Logout from Erik Aronesty on 2001-01-02 (ietf-http-wg@w3.org from January to March 2001)

From: Erik Aronesty <erik@primedata.org>
Date: Tue, 2 Jan 2001 16:15:03 -0500
To: Erik Aronesty <erik@primedata.org>, Scott Lawrence <slawrence@virata.com>
Cc: http-wg@cuckoo.hpl.hp.com, support@microsoft.com
Message-ID: <198b01c07501$13fa9420$cd4751d1@primedata.org>

Sorry I found it... there is a recommendation,

    Microsoft and Netscape just blindly ignore it:

Section 15.6 "Authentication Credentials and Idle Clients":

 "In particular, user agents which cache credentials are
   encouraged to provide a readily accessible mechanism for discarding
   cached credentials under user control."

Which neither do - even though it's a security hole.

                - Erik

----- Original Message -----
From: "Erik Aronesty" <erik@primedata.org>
To: "Scott Lawrence" <slawrence@virata.com>
Cc: <http-wg@cuckoo.hpl.hp.com>
Sent: Tuesday, January 02, 2001 4:12 PM
Subject: Re: Logout


> > > the passwords that are used to access HTTP servers?  IE: a "logout"
> button
> > > for HTTP built-in authentication.
> > >
> > > I imagine that this is the sort of requirement that HTTP people think
> that
> > > this should be in the HTML group - and vice-versa.
> > >
> > > However it is an embarrassing oversight in modern browsers.
> >
> > One that some of us have tried hard to overcome, to no avail.  The
> > basic problem is that the browser vendors have listened carefully to
> > what thier customers want, and have heard loud and clear that they
> > don't want to have to remember passwords.
>
> Over 600 users have asked us within the last year how to "log out" of
sites
> such as etrade and daytek which use HTTP based authentication.
>
> Browser customers don't want to remember passwords - however they want
> a "logout button" as well.  This is not a paradox and there is no
> inextricable reason why
> browsers can't cache usr information but have a button for "clearing the
> cache"
>
> I think the real reason that this has not been done is because both major
> browsers today have other agendas regarding network access and security.
>
> Currently there is no way to clear the cache by having an HTTP server
> request
> it to be cleared - or by a user initiating the clearing of this
information.
> This
> is a basic security leak - and should be plugged.
>
> > Paul Leach of Microsoft and I attempted to provide a framework for a
> > solution to this and some related problems in a submission to the
> > W3C (User Agent Authentication Forms) in February of 1999:
> >
> >     http://www.w3.org/TR/1999/NOTE-authentform-19990203
>
>
> However, this is a "forms based" solution which undermines digest
> authentication
> and other more "standard" forms of authentication - that have proved very
> helpful
> to developers of web applications.
>
> Simply, there should be one line added to section 4.13
>
>     ftp://ftp.isi.edu/in-notes/rfc2617.txt
>
> "It is reccomended that the authenticating agent provide a set mechanisms
> for
> removing entries from the "password file" associated with a given realm,
for
> the purposes of logging out of a system."
>
> And that's about all that's necessary.
>
> I don't think it needs a whole RFC ... just an addendum to existing ones.
>
>             - Erik
>

Received on Tuesday, 2 January 2001 13:10:10 UTC