- From: Albert Lunde <atlunde@panix.com>
- Date: Thu, 7 Jan 2010 15:04:48 -0500
- To: Tim <tim-projects@sentinelchicken.org>
- Cc: ietf-http-wg@w3.org
On Thu, Jan 07, 2010 at 10:24:09AM -0800, Tim wrote:
> Hello,
>
> I appologize in advance if this is not an appropriate place to ask
> this question.
>
> I'm doing some research and I'm interested in learning about any past
> proposals to augment HTTP authentication (basic/digest) with a logout
> feature. I have spent several hours reading mailing list archives and
> searching the web, and while I've found plenty of related information,
> I'm surprised to find no concrete proposals for this feature.
>
> Surely I'm missing something. Could someone point me in the right
> direction?
Speaking as a non-expert...
This tends to be a problem that relates to application sessions
as much as to HTTP protocol-level authenication. It seems to be
possible to solve at the level of a single application, and
hard to solve at the next level of federated authetication.
Thus the Shibboleth project is periodically explaining why they
don't provide single logout:
<https://spaces.internet2.edu/display/SHIB2/SLOIssues>
<https://wiki.brown.edu/confluence/display/CISDOC/
Shibboleth+and+Application+Logout+Best+Practices>
The varied way that different HTTP clients handle cookies,
kerberos tickets, and other authentication credentials probably
makes it harder to manage.
Web Single-Signon systems seem to depend on gimmicks outside the
scope of HTTP as, such in order to work with existing web
browsers.
--
Albert Lunde albert-lunde@northwestern.edu
atlunde@panix.com (address for personal mail)
Received on Thursday, 7 January 2010 20:05:16 UTC