Re: Past Proposals for HTTP Auth Logout from Tim on 2010-01-13 (ietf-http-wg@w3.org from January to March 2010)

From: Tim <tim-projects@sentinelchicken.org>
Date: Tue, 12 Jan 2010 19:28:56 -0800
To: Yutaka OIWA <y.oiwa@aist.go.jp>
Cc: ietf-http-wg@w3.org
Message-ID: <20100113032856.GK2406@sentinelchicken.org>

> I don't know much about a AJAX hack, but I agree that a 200 response
> with a new header would be the better for several reasons.
> 
>   * It is simpler :-),
> 
>   * Behaves well with existing clients, and
> 
>   * Responses will not always be 200; it may also be a 3XX response
>     which redirects client users back to an unauthenticated top page.

Yes, I also think an HTTP header makes the most sense.  As far as 3XX
responses, I'm not necessarily against them, but I haven't really
thought about what any ramifications might be.


> In our proposal the header 
>   "Authentication-Control: Mutual logout-timeout=0"
> will possibly serve exactly the same purpose which you want.
> If there is a better generic solution, I will probably go on it.

Yes, I think something like that makes sense.  How about this
variation (sorry for the lack of BNF/etc grammar):

  Authentication-Control: [SCHEME] realm="[REALM]", ... [EXTENSIONS] ...

The only required pieces being the scheme and the realm.  So for
Mutual authentication, it may look like:

  Authentication-Control: Mutual realm="...", logout-timeout=0

For Basic it might look like:

  Authentication-Control: Basic realm="...", logout="true"




> Is there a possible interesting use-cases for such a partial log-out?
> It seems to make authentication model very complicated, and we might
> also need a way for "adding a new to a current authentication domain"
> and a careful security analysis/considerations.

I agree that partial logout could become quite confusing.  I think the
choice of how that would work and could be interpreted by clients
should be left up to the individual authenticaiton schemes.

The advantage of a general header like the one above is the
flexibility for providing this and more importantly, providing
integrity protection/authentication for the logout response.


I hope to release a paper in the next few weeks describing why HTTP
authentication is still relevant and how to make it more usable in
theory and practice.  Your feedback has been most helpful.  I will
post a link here when I have it ready. 

Thanks,
tim

Received on Wednesday, 13 January 2010 03:29:26 UTC