W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Jan Algermissen <algermissen1971@mac.com>
Date: Fri, 08 Jan 2010 09:39:05 +0100
Cc: Nicolas Alvarez <nicolas.alvarez@gmail.com>, ietf-http-wg@w3.org
Message-id: <B21269A6-2A93-4FCD-816E-65AE7DE9AB7E@mac.com>
To: David Morris <dwm@xpasc.com>

On Jan 7, 2010, at 10:51 PM, David Morris wrote:

> On Thu, 7 Jan 2010, Nicolas Alvarez wrote:
>> Tim wrote:
>>> I'm doing some research and I'm interested in learning about any  
>>> past
>>> proposals to augment HTTP authentication (basic/digest) with a  
>>> logout
>>> feature.  I have spent several hours reading mailing list archives  
>>> and
>>> searching the web, and while I've found plenty of related  
>>> information,
>>> I'm surprised to find no concrete proposals for this feature.
>> I don't see how that concerns HTTP; it's a missing feature on the  
>> browsers.
>> Credentials are sent on every request. All you need is a logout  
>> button on
>> the *browser* that makes it stop sending credentials. Go file feature
>> requests to the browser vendors :)
> So on what basis does the browser prompt again? It is likely a  
> better user
> experience if the flush credentials is part of a server response to a
> web page logout button which lets both ends know the logout occured  
> and
> takes the user to a page which doesn't immediately present a new  
> credential dialog.

This is a hypermedia and/or browser issue, not an HTTP issue. The  
server can send along with the 401 response a representation to  
display. Maybe the version of the page for unauthenticated users. The  
browser can display a less annoying dialog or button in the GUI  
showing the client that it *can* login. Otherwise the client could  
continue or be redirected to a non-auth version of the Web site.

It is just a matter of what the browser makes of the 401 response. It  
need not display the login dialog right away.


Jan Algermissen

Mail: algermissen@acm.org
Blog: http://algermissen.blogspot.com/
Home: http://www.jalgermissen.com
Received on Friday, 8 January 2010 08:39:43 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:21 UTC