- From: Tim <tim-projects@sentinelchicken.org>
- Date: Sat, 9 Jan 2010 15:19:39 -0800
- To: Mike Kelly <mike@mykanjo.co.uk>
- Cc: 'HTTP Working Group' <ietf-http-wg@w3.org>
> Browsers just need to provide a standardized javascript API for > setting and flushing the Authorization header (per domain). This is a possible solution, if all browsers supported JavaScript. Most don't. Most only support ECMAScript and I'm sure you know how ugly this stuff gets in practice. At a more abstract level, HTTP handles log-ins in stateful authentication protocols, but you're asking JavaScript to handle log outs. This asymmetry seems confusing. > 'Logging In and Out' is a purely client-side concern, so it seems a > good candidate for solving with code on demand - since there's > really no visibility to lose. No, I think you're mistaken here. It is also a concern for cryptographic protocols. Typically, any secure protocol will define some kind of session key which needs to be forgotten once the session is over. Server and client need to synchronize this. Regards, tim
Received on Saturday, 9 January 2010 23:20:10 UTC