Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On Wed, Feb 22, 2012 at 12:47:55PM +0100, Julian Reschke wrote:
> On 2012-02-22 12:16, Willy Tarreau wrote:
> >...
> >There's nothing wrong, but I've never seen a browser suggest to 
> >logout/relog
> >upon a 403. Also, since browsers don't offer the possibility to logout in
> >general, it's hard to suggest that this possibility should be specifically
> >offered upon 403. In fact it's the global authentication/authorization
> >mechanism that should be cleaned up in 2.0 and I don't think it's too hard,
> >we just have to clearly state that we might break *some* of the 1.1 
> >assumptions.
> >...
> 
> If browsers had an API for logging off, servers could send a 403 
> response page *doing* the log off. Wouldn't that be sufficient?

In my opinion, 403 is an authorization issue, and it can come from
the user attempting to perform an unauthorized operation or just
that the lack of authorization requires a re-login. Only the user
can decide. So I think that the 403 response shouldn't cause the
logout to happen, but just make the browser ask the user if he
prefers to log out or to continue normal browsing. A "log off"
button on the top right corner would definitely help. Users could
take the advice from the text response accompanying the 403 to
decide whether they need to log off and log in as another user
or if they prefer to click the "back" button and ignore the error.

403 is quite a common error where WAF products are deployed, and it
would have a disastrous effect if it would cause an automatic logout.

That said, I totally agree with you that if we could get the browsers
include the logout method, we could start from a cleaner ground to
propose more reliable and user-friendly solutions even in 1.1. Maybe
we should consider that this feature exists and see what we can build
based on that assumption ?

Willy

Received on Wednesday, 22 February 2012 13:22:56 UTC