- From: Scott Lawrence <lawrence@agranat.com>
- Date: Mon, 02 Feb 1998 21:52:20 -0500
- To: http-wg@cuckoo.hpl.hp.com
>>>>> "JC" == Josh Cohen <joshco@MICROSOFT.com> writes: JC> 1) the server needs a way to send a message to the client saying JC> please revalidate your credentials with the user I know that I sound like a broken record here, but the minimal requirement is to instruct the user agent to discard the current credentials - whether or not it should then obtain new ones depends on whether or not it has another request to send that requires them, which might be immediatly or next month. A 'Logout' function does not require that new credentials be obtained - in fact, doing so would defeat the very purpose of discarding the current set. A 'Revalidate' function can be accomplished by instructing the user agent to discard current credentials in any redirection or authentication-required response. JC> 2) the server needs a way to detect that the client has JC> or is at least claiming to knowingly complete the task JC> ... (else how would you know if the client actually revalidated?) But the assurance means nothing; in neither case can the server know anything about what the user agent did. -- Scott Lawrence EmWeb Embedded Server <lawrence@agranat.com> Agranat Systems, Inc. Engineering http://www.agranat.com/
Received on Monday, 2 February 1998 18:58:36 UTC