W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Tim <tim-projects@sentinelchicken.org>
Date: Thu, 7 Jan 2010 14:12:13 -0800
To: David Morris <dwm@xpasc.com>
Cc: Nicolas Alvarez <nicolas.alvarez@gmail.com>, ietf-http-wg@w3.org
Message-ID: <20100107221213.GE2291@sentinelchicken.org>

Hi David and Nicolas,

> >I don't see how that concerns HTTP; it's a missing feature on the browsers.
> >
> >Credentials are sent on every request. All you need is a logout button on
> >the *browser* that makes it stop sending credentials. Go file feature
> >requests to the browser vendors :)

I don't necessarily disagree with you Nicolas.  Having this feature is
a good thing.  Unfortunately, with the current status quo of
cookie-based authentication (which I detest on various security
grounds), users are conditioned to expect logout functionality in the
web application itself.

> So on what basis does the browser prompt again? It is likely a better user
> experience if the flush credentials is part of a server response to a
> web page logout button which lets both ends know the logout occured and
> takes the user to a page which doesn't immediately present a new
> credential dialog.

This is exactly what I am wishing existed in HTTP.  I have ideas for
how to do this with minimal impact on existing user agents, but I
wanted to make sure I understood what had already been discussed in
the past.

Received on Thursday, 7 January 2010 22:12:43 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:21 UTC