- From: Adrien de Croy <adrien@qbik.com>
- Date: Mon, 19 Sep 2011 16:18:34 +1200
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi all I know this is outside the WG charter, but I thought it could be topical in terms of recent discussions on authentication. One of the failings (IMHO) of the HTTP auth as implemented by most browsers, is the impossibility of implementing a logout function in a web site which uses HTTP auth. Since client browsers cache credentials (for obvious reasons), they will re-present cached creds for each new page if there's ever a 401 returned. This means once you use HTTP authentication to establish creds with a site, you can't disassociate your browser from these creds without shutting it down. In most cases, this involves shutting down every instance of your browser. Compared with your typical website that uses cookie/session-based login, this seems like a fairly glaring omission. So, what if there were some status code, or response header that could be used to tell a browser to clear the cached credentials for that site? Then you could put up a link on your web page, call it logout, and when the user clicks it, you send back that status or header. Then the client unlearns the creds so that the next auth challenge from that site results in a login dialog in the client. Adrien -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com WinGate 7 beta out now - http://www.wingate.com/getlatest/
Received on Monday, 19 September 2011 04:19:10 UTC