- From: Willy Tarreau <w@1wt.eu>
- Date: Sun, 25 Sep 2011 15:20:41 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Julian, On Sun, Sep 25, 2011 at 03:06:04PM +0200, Julian Reschke wrote: > >I think that the difficulty for browers is how to deal with multiple > >parallel connections. If one of them returns "4XX logout" and others > >still return 2xx or 3xx in response to some Authorization headers, it > >may be confused. This probably means that the "4xx logout" should > >cause an immediate flush of the cached credentials and that no window > >of frame or connection may use a cached version of them. Maybe this is > >already something simple for browsers, I don't know. > >... > > But that's not different from today with logging out from sites using > cookie authentication, right? I think it's slightly different because with a cookie, when the server deletes it, it's not valid anymore. So even if the browser posts a few requests with the recently deleted cookie, they will not be authenticated. With user:passwd credentials, the logout is just an event at one point but does not remove the credentials' validity. So the few possibly pending requests which are sent with the credentials should not cause these credentials to be used again afterwards. But I agree it's just a matter of implementation. > Speccing a 4xx status code seems to be quite simple, but I'll assume > most sites would be hesitant to use something for "logout" when there's > no simple way to find out whether the UA understood it. That's a good point. In my experience, user:password auth was mostly used on internal networks. The lack of logout feature is more a matter of convenience than a real security issue because the population is limited and clients are installed on machines that are more or less associated to one user. So even if the UA ignores the 4xx, it's not a bit deal. There are also places where web developers waste a lot of time connecting/disconnecting and constantly have to open/close the browser because they're experimentating with different user profiles. I noticed that with proxy auth too, where people validate URL filters, or have to switch their profile. But here it should probably be a browser feature and not a 4xx code. Just my 2 cents, Willy
Received on Sunday, 25 September 2011 13:21:12 UTC