- From: Albert Lunde <atlunde@panix.com>
- Date: Sat, 9 Jan 2010 12:10:09 -0500
- To: 'HTTP Working Group' <ietf-http-wg@w3.org>
> Browsers just need to provide a standardized javascript API for setting
> and flushing the Authorization header (per domain).
>
> 'Logging In and Out' is a purely client-side concern, so it seems a good
> candidate for solving with code on demand - since there's really no
> visibility to lose.
I'd argue that the federated case, or even the problem of invalidating
application sessions in a load-balanced web application makes
it a total-system problem.
There does seem to be a user-interface and management issue
with providing a unified interface to all the possible sorts of login
credentials, that gives their scope and human meaning.
Off-hand, we've got Basic and Digest Auth passwords, kerberos
tickets in several forms, encrypted cookies, SAML assertions,
and probably stuff tied to session keys in the HTML or URLs.
There are too many messy issues in the big picture...
If I use a magic new feature to "log out" of an intranet site
autheticated with MSIE, have I just dumped the kerberos tickets
for our AD domain?
Can you provide a human-readable, non-spoofable way to label
the credentials?
Can the protocol be spoofed
--
Albert Lunde albert-lunde@northwestern.edu
atlunde@panix.com (address for personal mail)
Received on Saturday, 9 January 2010 17:27:11 UTC