Re: Past Proposals for HTTP Auth Logout

Hi David and Nicolas,

> >I don't see how that concerns HTTP; it's a missing feature on the browsers.
> >
> >Credentials are sent on every request. All you need is a logout button on
> >the *browser* that makes it stop sending credentials. Go file feature
> >requests to the browser vendors :)

I don't necessarily disagree with you Nicolas.  Having this feature is
a good thing.  Unfortunately, with the current status quo of
cookie-based authentication (which I detest on various security
grounds), users are conditioned to expect logout functionality in the
web application itself.

> So on what basis does the browser prompt again? It is likely a better user
> experience if the flush credentials is part of a server response to a
> web page logout button which lets both ends know the logout occured and
> takes the user to a page which doesn't immediately present a new
> credential dialog.

This is exactly what I am wishing existed in HTTP.  I have ideas for
how to do this with minimal impact on existing user agents, but I
wanted to make sure I understood what had already been discussed in
the past.


Received on Thursday, 7 January 2010 22:12:43 UTC