Re: Past Proposals for HTTP Auth Logout from Yutaka OIWA on 2010-01-12 (ietf-http-wg@w3.org from January to March 2010)

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Tue, 12 Jan 2010 22:32:16 +0900
To: Tim <tim-projects@sentinelchicken.org>
Cc: ietf-http-wg@w3.org
Message-ID: <8763775tzz.fsf@bluewind.rcis.aist.go.jp>

Tim <tim-projects@sentinelchicken.org> writes:

> Also, what is
> the goal of the location-when-logout design?  Could the body of a 200
> response as I propose not achieve a similar goal?  It's just that it
> seems confusing to mix 2XX/3XX/4XX semantics by having a redirect
> instruction potentially appear in non-3XX response types.

This is to support client-initiated log-out, and generally not
needed for server-initiated log-out as you might guess.

# Clicking a "log-out" link to log-out is a server-initiated log-out.

In our current proposal, when the server request a log-out
a usual positive response with a header
"Authentication-control: Mutual logout-timeout=0" will be sent
from the server. And this will cause the client memory of
the user/pass associated to the current request to be erased.
In this case we can just use usual 302/303 responses for redirection.

However, if a client user requests browser to log-out
(our test implementation browser a "log-out" UI button),
the client will clear a user/pass memory and then "reload" the
current page by default.
While it should be OK to reload a GET request,
it is undesirable to reload other kinds of requests like "POST"s.

# In most cases, the final actions which authenticated users want to
# do will be POST requests (e.g. a "Check out the shopping cart" button :-).

Our "location-when-logout" directive suggests client to change this
default behavior; it will move to a new specified location (with a GET
request), instead of reloading.

# And this is why our draft encourages applications to send an
# appropriate location-when-logout directive for every POST request.

So, it seems to be not similar to a Location in 3XX response for me; it
is more like a special link activated after logging-out.  Another
possible solution may be a special-meaning Link: header, but I think
that our current design is better than that.

-- 
Yutaka OIWA, Ph.D.                                       Research Scientist
                            Research Center for Information Security (RCIS)
    National Institute of Advanced Industrial Science and Technology (AIST)
                      Mail addresses: <y.oiwa@aist.go.jp>, <yutaka@oiwa.jp>
OpenPGP: id[440546B5] fp[7C9F 723A 7559 3246 229D  3139 8677 9BD2 4405 46B5]

Received on Tuesday, 12 January 2010 13:32:53 UTC