- From: Dave Kristol <dmk@bell-labs.com>
- Date: Sat, 15 Nov 1997 19:30:02 -0500
- To: Paul Leach <paulle@microsoft.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Paul Leach wrote: > [...] > A user agent MUST NOT reuse the same credentials if a substantial amount of > time has passed without any user activity -- for example, the current user > may have left their browser, and an unauthorized one started using it. It is > RECOMMENDED that this time not exceed one hour, and that it be configurable. I have argued for several years that a browser ought to have a way to let a user say "forget all my authentication stuff". However, as a user, I dislike this suggestion of a timeout. I keep the browser on my workstation up as long as the browser and OS don't crash. I don't particularly want to have to reauthenticate myself every hour or so. The problem you're trying to solve is one of machines shared by multiple users. Better to address that problem in all its glory (including shared cookies, for example), than to nibble around the edges with a timeout for a specific authentication problem. Dave Kristol
Received on Thursday, 20 November 1997 11:20:07 UTC