- From: Jim Gettys <jg@pa.dec.com>
- Date: Thu, 12 Feb 1998 13:44:01 -0800
- To: http-wg@cuckoo.hpl.hp.com
I've pulled Paul's proposal from Rev-02 for RE-AUTHENTICATION-REQUESTED per the discussion in Washington and the mailing list. The lack of this facility does need discussion in the Security Considerations section, however. So I had an editorial task to generate such a section. Here's my crack at drafting such a section. Comments welcome (for a short while, anyway...). - Jim 15.6 15.6 Authentication Credentials and Idle Clients Existing HTTP clients typically retain authentication information indefinately. HTTP/1.1 lacks a facility to force reauthentication of clients, which may have been idle for extended periods, by an origin server or a proxy. This is considered a significant defect that requires further additions to HTTP, and is under separate study. There are a number of work-arounds to parts of this problem, and we encourage the use of password protected screen savers on idle clients to mitigate some of the resulting security problems.
Received on Thursday, 12 February 1998 13:47:05 UTC