Re: Logout from Douglas Sims on 2001-01-02 (ietf-http-wg@w3.org from January to March 2001)

From: Douglas Sims <jds@mem.net>
Date: Tue, 02 Jan 2001 13:42:06 -0600
To: Dave Kristol <dmk@research.bell-labs.com>
CC: http-wg@cuckoo.hpl.hp.com
Message-ID: <3A522F0E.707D12B@mem.net>

I decided several years ago to stop use http authentication and instead use a
similar system with cookies, because http authentication transmits everything in
unencoded form.  I realize that cookies don't provide much better security as the
initial password is going to
be unencoded, but somehow I got some (no doubt misplaced) peace of mind out of
that.

As to your question though, with cookies it's easy enough to just set a cookie with
the same name but a different value.  The new cookie will wipe out the old cookie.

-Doug Sims


Dave Kristol wrote:

> "Erik Aronesty" <erik@primedata.org> wrote:
>   >
>   > Dear Sirs,
>   >
>   > Is it required that user agents have a mechanism for expiring or forgetting
>   > the passwords that are used to access HTTP servers?  IE: a "logout" button
>   > for HTTP built-in authentication.
>   >
>   > I imagine that this is the sort of requirement that HTTP people think that
>   > this should be in the HTML group - and vice-versa.
>   >
>   > However it is an embarrassing oversight in modern browsers.
>
> <sigh>
>
> You have touched on one of *my* hot buttons.  I have argued for such a
> thing for, oh, about six years.  Obviously without success.  As you
> guess, it's not an HTTP issue, having nothing really to do with the
> *protocol*.  But it's also not an HTML issue, having nothing to do with
> the content of pages.  Rather it's a user interface issue, and thus at
> the discretion of the browser vendors.  And, for whatever reason, they
> have never been interested in providing a way to discard passwords,
> except to exit the browser.
>
> I can think of two situations where such a feature would be *really*
> handy:
>
> 1) When I'm trying to debug server-side authentication code, and I want
> to force the browser I'm using to forget its passwords.
>
> 2) In an environment where machines are shared (college computer lab,
> public library, Internet cafe), and I want to discard the passwords
> I've entered before I leave the machine.
>
> Similar reasoning would recommend a feature to discard all cookies, as
> well, but that's another topic entirely. :-)
>
> Dave Kristol

Received on Tuesday, 2 January 2001 11:48:55 UTC