Re: Past Proposals for HTTP Auth Logout from Tim on 2010-01-08 (ietf-http-wg@w3.org from January to March 2010)

From: Tim <tim-projects@sentinelchicken.org>
Date: Fri, 8 Jan 2010 11:50:02 -0800
To: Jan Algermissen <algermissen1971@mac.com>
Cc: ietf-http-wg@w3.org
Message-ID: <20100108195002.GC2389@sentinelchicken.org>

> > Browser receives 401
> >
> > If auth type and realm match those of any cached credentials, then:
> >   Clear cached credentials
> >   Show body of 401 response to user
> >
> > Otherwise: Prompt user for new credentials
> 
> Sort of - I just meant to sketch how it might work. I think some
> standard link relation might be better, e.g.

Well, if it isn't well defined somewhere, then it will never fly.  You
see, those who chose what authentication gets used are application
developers.  They use cookies because it gives them full control over
the user interface and a whole lot of other application behaviors.

If browsers don't change in unison to a behavior like you propose,
then app developers will never adopt better authentication protocols.
Just not worth the effort.


> GET /protected.html
> 
> 401 Authorization Required
> Content-Type: text/html
> 
> <html>
> <head>
>   <link rel="noauth-version" href="/unprotected.html"/>
> </head>
> <body>...</body>
> </html>
> 
> Then the browser had a way to make a choice between

Choice of UI needs to be taken out of the browser's hands when it
comes to log out.  Sure, it's great if browsers give users a button or
menu to clear credentials (which many now do, different in each
browser), but the resulting landing page upon log out needs to be
fully controlled by the

> - showing the dialog as currently done

Status quo, no good.

> - showing a button in the browser GUI for this page and display the
> noauth version

Possibly workable.  My thought for logging in again would just be an
HTML link in the body of the 401, set by the application developer,
which points the user back to log in (possibly on the same page).  A
button provided by the browser wouldn't hurt either.  As I said,
convincing browsers to make this change may be quite difficult though.

> - provide the dialog but include a button in the dialog to go to the
> noauth version

Not workable.  If a user clicks log out in the application itself,
they don't expect to be prompted immediately.  This is the UI problem
that causes HTTP auth to be rejected by developers.

> Browsers that do not know noauth-version would not change their
> behavior.
> 
> 
> This could also be used in a Link header if the payload is not HTML.
> 
> Hmmm - that is actually all not bad - maybe someone should register
> such a relation?

Then we're back to headers again... why not just start with an auth
response header that provides this functionality regardless of content
type, and also provides:

  - The ability to authenticate the logout response, as some more
    secure protocols may require.
  - The ability to log out of single applications when multiple
    applications are authenticated with one set of credentials.
  - Extensibility which ties directly into new HTTP authentication
    types.



tim

Received on Friday, 8 January 2010 19:50:31 UTC