Hi David and Nicolas, > >I don't see how that concerns HTTP; it's a missing feature on the browsers. > > > >Credentials are sent on every request. All you need is a logout button on > >the *browser* that makes it stop sending credentials. Go file feature > >requests to the browser vendors :) I don't necessarily disagree with you Nicolas. Having this feature is a good thing. Unfortunately, with the current status quo of cookie-based authentication (which I detest on various security grounds), users are conditioned to expect logout functionality in the web application itself. > So on what basis does the browser prompt again? It is likely a better user > experience if the flush credentials is part of a server response to a > web page logout button which lets both ends know the logout occured and > takes the user to a page which doesn't immediately present a new > credential dialog. This is exactly what I am wishing existed in HTTP. I have ideas for how to do this with minimal impact on existing user agents, but I wanted to make sure I understood what had already been discussed in the past. timReceived on Thursday, 7 January 2010 22:12:43 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:21 UTC