- From: Story Henry <henry.story@bblfish.net>
- Date: Thu, 25 Feb 2010 17:23:14 +0100
- To: Tim <tim-projects@sentinelchicken.org>
- Cc: Bil Corry <bil@corry.biz>, Yutaka OIWA <y.oiwa@aist.go.jp>, Working Group HTTP <ietf-http-wg@w3.org>, Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>
On the same note. What would really help for the foaf+ssl [1] RESTful distributed authentication system, would be if we could somehow push browser vendors to improve their ssl stack - and part of this may require tying ssl more closely to HTTP - so that they don't automatically send an SSL certificate once a user has connected to a site. Currently browsers such as firefox require a restart before they ask you which certificate you wish to choose. One suggestion is that one should be able to see what client certificate has been used when connecting to a web site, so that one could change it http://blogs.sun.com/bblfish/entry/identity_in_the_browser_firefox The advantage of foaf+ssl over the traditional HTTP login is that it does not even require a username or password on the part of the user, without any of the traditional problems associated with certificates, as the certs are self signed. Henry [1] http://esw.w3.org/topic/foaf+ssl On 31 Jan 2010, at 04:39, Tim wrote: > Bil, > >> Here's an example of using AJAX to log out a user via HTTP Auth: >> >> http://www.corry.biz/logout_demo/ > > Oh, nice, I hadn't thought of this before. To summarize, you just set > up a page within the protection space which always returns a 200 code > and then access it via XMLHttpRequest with a bogus password. What > browsers have you tested this on? > > So it appears with logins and logouts, AJAX + response code hacks are > possible to make this work right now. I still think an HTTP-level > session termination mechanism is worthwhile for user agents that don't > want to rely on JavaScript, but for most developers, this could be the > missing piece to make HTTP auth usable again. > > thanks! > tim >
Received on Thursday, 25 February 2010 16:23:57 UTC