Re: Past Proposals for HTTP Auth Logout

> Browsers just need to provide a standardized javascript API for
> setting and flushing the Authorization header (per domain).

This is a possible solution, if all browsers supported JavaScript.
Most don't.  Most only support ECMAScript and I'm sure you know how
ugly this stuff gets in practice.

At a more abstract level, HTTP handles log-ins in stateful
authentication protocols, but you're asking JavaScript to handle log
outs.  This asymmetry seems confusing.

> 'Logging In and Out' is a purely client-side concern, so it seems a
> good candidate for solving with code on demand - since there's
> really no visibility to lose.

No, I think you're mistaken here.  It is also a concern for
cryptographic protocols.  Typically, any secure protocol will define
some kind of session key which needs to be forgotten once the session
is over.  Server and client need to synchronize this.


Received on Saturday, 9 January 2010 23:20:10 UTC