- From: Scott Lawrence <lawrence@agranat.com>
- Date: Tue, 25 Nov 1997 12:17:16 -0500
- To: Maurizio Codogno <mau@beatles.cselt.it>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>>>>> "MC" == Maurizio Codogno <mau@beatles.cselt.it> writes: MC> As some pointed out, often it is the client, not the server, which MC> would like to forget the auth info (but this does not belong to HTTP); MC> moreover the server cannot be sure that the client forgets the infos. The proposal is to provide a mechanism whereby the server can direct the client to discard the user credentials. Clients should also have other mechanisms for doing the same things - for example, there should always be some way for the user to direct a browser to delete any stored credentials (so the user can leave a shared system without leaving credentials for the next user). MC> This all said, shouldn't the server send a cookie (oops, wrong term :-)) MC> which the client should send back together with the usual Authentication: MC> data? As I wrote the proposal, 'discard' can't be combined with other uses of the Authentication-Info header, such as nextnonce; this may have been a mistake. -- Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com> Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Tuesday, 25 November 1997 09:21:04 UTC