Re: Past Proposals for HTTP Auth Logout

On Jan 7, 2010, at 10:51 PM, David Morris wrote:

> On Thu, 7 Jan 2010, Nicolas Alvarez wrote:
>> Tim wrote:
>>> I'm doing some research and I'm interested in learning about any  
>>> past
>>> proposals to augment HTTP authentication (basic/digest) with a  
>>> logout
>>> feature.  I have spent several hours reading mailing list archives  
>>> and
>>> searching the web, and while I've found plenty of related  
>>> information,
>>> I'm surprised to find no concrete proposals for this feature.
>> I don't see how that concerns HTTP; it's a missing feature on the  
>> browsers.
>> Credentials are sent on every request. All you need is a logout  
>> button on
>> the *browser* that makes it stop sending credentials. Go file feature
>> requests to the browser vendors :)
> So on what basis does the browser prompt again? It is likely a  
> better user
> experience if the flush credentials is part of a server response to a
> web page logout button which lets both ends know the logout occured  
> and
> takes the user to a page which doesn't immediately present a new  
> credential dialog.

This is a hypermedia and/or browser issue, not an HTTP issue. The  
server can send along with the 401 response a representation to  
display. Maybe the version of the page for unauthenticated users. The  
browser can display a less annoying dialog or button in the GUI  
showing the client that it *can* login. Otherwise the client could  
continue or be redirected to a non-auth version of the Web site.

It is just a matter of what the browser makes of the 401 response. It  
need not display the login dialog right away.


Jan Algermissen


Received on Friday, 8 January 2010 08:39:43 UTC