- From: Ingo Struck <lists@ingostruck.de>
- Date: Sat, 21 Oct 2006 19:17:28 +0000
- To: "Robert Sayre" <sayrer@gmail.com>
- Cc: "Henrik Nordstrom" <hno@squid-cache.org>, "HTTP Working Group" <ietf-http-wg@w3.org>
Robert, Henrik, > > fre 2006-10-20 klockan 14:12 -0400 skrev Robert Sayre: > > > HTTP security now takes place via forms, cookies, redirects, and > > > rubber bands. > > > > And to be honest mainly because web designers is not happy with how the > > That is one reason. The ad-hoc stuff can be more secure than the > standard schemes, too. I Never encountered any ad-hoc stuff that was better than Basic, though. Not to speak of digest. Especially nonces and mutual auth cannot reasonably be done using cookies or any solution "above" the protocol. > Also, there is no logout button. I plan to take care of both problems > for new schemes in Mozilla. This is one real showstopper. There must be a mechanism for the client to drop the "session". For the server there is no problem to drop it -- just send a new challenge. > Need a markup widget to clear HTTP credentials > <https://bugzilla.mozilla.org/show_bug.cgi?id=355319> This could be a requirement of any auth-scheme too, but fixing this "bug" is a good thing. Kind regards Ingo Struck
Received on Saturday, 21 October 2006 18:14:57 UTC