- From: Jim Gettys <jg@pa.dec.com>
- Date: Fri, 13 Feb 1998 12:10:22 -0800
- To: Koen Holtman <koen@win.tue.nl>, http-wg@cuckoo.hpl.hp.com
Here's my revision, given Ted and Koen's comments... - Jim 15.6 Authentication Credentials and Idle Clients Existing HTTP clients and user agents typically retain authentication information indefinately. HTTP/1.1. does not provide a method for an origin server or proxy to force reauthentication. Since clients may be idle for extended periods between use (and unauthorized users may have access to the user agent during these idle periods), this is a significant defect that requires further extensions to HTTP. This is currently under separate study. For user agents, there are a number of work-arounds to parts of this problem, and we enourage the use of password protection in screen savers, idle time-outs, and other methods which mitigate the security problems inherent in this problem.
Received on Friday, 13 February 1998 12:15:14 UTC