- From: Tim <tim-projects@sentinelchicken.org>
- Date: Thu, 7 Jan 2010 14:12:13 -0800
- To: David Morris <dwm@xpasc.com>
- Cc: Nicolas Alvarez <nicolas.alvarez@gmail.com>, ietf-http-wg@w3.org
Hi David and Nicolas, > >I don't see how that concerns HTTP; it's a missing feature on the browsers. > > > >Credentials are sent on every request. All you need is a logout button on > >the *browser* that makes it stop sending credentials. Go file feature > >requests to the browser vendors :) I don't necessarily disagree with you Nicolas. Having this feature is a good thing. Unfortunately, with the current status quo of cookie-based authentication (which I detest on various security grounds), users are conditioned to expect logout functionality in the web application itself. > So on what basis does the browser prompt again? It is likely a better user > experience if the flush credentials is part of a server response to a > web page logout button which lets both ends know the logout occured and > takes the user to a page which doesn't immediately present a new > credential dialog. This is exactly what I am wishing existed in HTTP. I have ideas for how to do this with minimal impact on existing user agents, but I wanted to make sure I understood what had already been discussed in the past. tim
Received on Thursday, 7 January 2010 22:12:43 UTC