Re: Past Proposals for HTTP Auth Logout

On the same note.

What would really help for the foaf+ssl [1] RESTful distributed authentication system, would
be if we could somehow push browser vendors to improve their ssl stack - and part of 
this may require tying ssl more closely to HTTP - so that they don't automatically
send an SSL certificate once a user has connected to a site. Currently browsers such as
firefox require a restart before they ask you which certificate you wish to choose.
 
 One suggestion is that one should be able to see what client certificate has been used
when connecting to a web site, so that one could change it

   http://blogs.sun.com/bblfish/entry/identity_in_the_browser_firefox

The advantage of foaf+ssl over the traditional HTTP login is that it does not even require
a username or password on the part of the user, without any of the traditional problems associated with certificates, as the certs are self signed.

	Henry
  
[1] http://esw.w3.org/topic/foaf+ssl

On 31 Jan 2010, at 04:39, Tim wrote:

> Bil,
> 
>> Here's an example of using AJAX to log out a user via HTTP Auth:
>> 
>> 	http://www.corry.biz/logout_demo/
> 
> Oh, nice, I hadn't thought of this before.  To summarize, you just set
> up a page within the protection space which always returns a 200 code
> and then access it via XMLHttpRequest with a bogus password.  What
> browsers have you tested this on?
> 
> So it appears with logins and logouts, AJAX + response code hacks are
> possible to make this work right now.  I still think an HTTP-level
> session termination mechanism is worthwhile for user agents that don't
> want to rely on JavaScript, but for most developers, this could be the
> missing piece to make HTTP auth usable again.
> 
> thanks!
> tim
> 

Received on Thursday, 25 February 2010 16:23:57 UTC