- From: Erik Aronesty <erik@primedata.org>
- Date: Tue, 2 Jan 2001 16:12:39 -0500
- To: Scott Lawrence <slawrence@virata.com>
- Cc: http-wg@cuckoo.hpl.hp.com
> > the passwords that are used to access HTTP servers? IE: a "logout" button > > for HTTP built-in authentication. > > > > I imagine that this is the sort of requirement that HTTP people think that > > this should be in the HTML group - and vice-versa. > > > > However it is an embarrassing oversight in modern browsers. > > One that some of us have tried hard to overcome, to no avail. The > basic problem is that the browser vendors have listened carefully to > what thier customers want, and have heard loud and clear that they > don't want to have to remember passwords. Over 600 users have asked us within the last year how to "log out" of sites such as etrade and daytek which use HTTP based authentication. Browser customers don't want to remember passwords - however they want a "logout button" as well. This is not a paradox and there is no inextricable reason why browsers can't cache usr information but have a button for "clearing the cache" I think the real reason that this has not been done is because both major browsers today have other agendas regarding network access and security. Currently there is no way to clear the cache by having an HTTP server request it to be cleared - or by a user initiating the clearing of this information. This is a basic security leak - and should be plugged. > Paul Leach of Microsoft and I attempted to provide a framework for a > solution to this and some related problems in a submission to the > W3C (User Agent Authentication Forms) in February of 1999: > > http://www.w3.org/TR/1999/NOTE-authentform-19990203 However, this is a "forms based" solution which undermines digest authentication and other more "standard" forms of authentication - that have proved very helpful to developers of web applications. Simply, there should be one line added to section 4.13 ftp://ftp.isi.edu/in-notes/rfc2617.txt "It is reccomended that the authenticating agent provide a set mechanisms for removing entries from the "password file" associated with a given realm, for the purposes of logging out of a system." And that's about all that's necessary. I don't think it needs a whole RFC ... just an addendum to existing ones. - Erik
Received on Tuesday, 2 January 2001 13:10:06 UTC