Re: OT re HTTP auth disassocation of credentials from Willy Tarreau on 2011-09-19 (ietf-http-wg@w3.org from July to September 2011)

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 19 Sep 2011 06:30:39 +0200
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20110919043039.GD10910@1wt.eu>

Hi Adrien,

On Mon, Sep 19, 2011 at 04:18:34PM +1200, Adrien de Croy wrote:
> Hi all
> 
> I know this is outside the WG charter, but I thought it could be topical 
> in terms of recent discussions on authentication.
> 
> One of the failings (IMHO) of the HTTP auth as implemented by most 
> browsers, is the impossibility of implementing a logout function in a 
> web site which uses HTTP auth.
> 
> Since client browsers cache credentials (for obvious reasons), they will 
> re-present cached creds for each new page if there's ever a 401 returned.
> 
> This means once you use HTTP authentication to establish creds with a 
> site, you can't disassociate your browser from these creds without 
> shutting it down.  In most cases, this involves shutting down every 
> instance of your browser.
> 
> Compared with your typical website that uses cookie/session-based login, 
> this seems like a fairly glaring omission.
> 
> So, what if there were some status code, or response header that could 
> be used to tell a browser to clear the cached credentials for that 
> site?  Then you could put up a link on your web page, call it logout, 
> and when the user clicks it, you send back that status or header.  Then 
> the client unlearns the creds so that the next auth challenge from that 
> site results in a login dialog in the client.

I agree, I've missed this a number of times too. In fact, I noticed that
if you force the server to return 401 when presented the valid credentials,
most browsers seem to forget the ones they used to cache. But this is
terribly dirty, as the user receives a new pop-up where he's tempted to
re-enter his credentials...

I think that the difficulty for browers is how to deal with multiple
parallel connections. If one of them returns "4XX logout" and others
still return 2xx or 3xx in response to some Authorization headers, it
may be confused. This probably means that the "4xx logout" should
cause an immediate flush of the cached credentials and that no window
of frame or connection may use a cached version of them. Maybe this is
already something simple for browsers, I don't know.

> Adrien

Best regards,
Willy

Received on Monday, 19 September 2011 04:31:07 UTC