Re: Logout

> > the passwords that are used to access HTTP servers?  IE: a "logout"
> > for HTTP built-in authentication.
> >
> > I imagine that this is the sort of requirement that HTTP people think
> > this should be in the HTML group - and vice-versa.
> >
> > However it is an embarrassing oversight in modern browsers.
> One that some of us have tried hard to overcome, to no avail.  The
> basic problem is that the browser vendors have listened carefully to
> what thier customers want, and have heard loud and clear that they
> don't want to have to remember passwords.

Over 600 users have asked us within the last year how to "log out" of sites
such as etrade and daytek which use HTTP based authentication.

Browser customers don't want to remember passwords - however they want
a "logout button" as well.  This is not a paradox and there is no
inextricable reason why
browsers can't cache usr information but have a button for "clearing the

I think the real reason that this has not been done is because both major
browsers today have other agendas regarding network access and security.

Currently there is no way to clear the cache by having an HTTP server
it to be cleared - or by a user initiating the clearing of this information.
is a basic security leak - and should be plugged.

> Paul Leach of Microsoft and I attempted to provide a framework for a
> solution to this and some related problems in a submission to the
> W3C (User Agent Authentication Forms) in February of 1999:

However, this is a "forms based" solution which undermines digest
and other more "standard" forms of authentication - that have proved very
to developers of web applications.

Simply, there should be one line added to section 4.13

"It is reccomended that the authenticating agent provide a set mechanisms
removing entries from the "password file" associated with a given realm, for
the purposes of logging out of a system."

And that's about all that's necessary.

I don't think it needs a whole RFC ... just an addendum to existing ones.

            - Erik

Received on Tuesday, 2 January 2001 13:10:06 UTC