Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) from Julian Reschke on 2012-02-22 (ietf-http-wg@w3.org from January to March 2012)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 22 Feb 2012 14:37:44 +0100
To: Willy Tarreau <w@1wt.eu>
CC: Robert Collins <robertc@squid-cache.org>, Barry Leiba <barryleiba@computer.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <4F44EFA8.3080104@gmx.de>

On 2012-02-22 14:22, Willy Tarreau wrote:
> On Wed, Feb 22, 2012 at 12:47:55PM +0100, Julian Reschke wrote:
>> On 2012-02-22 12:16, Willy Tarreau wrote:
>>> ...
>>> There's nothing wrong, but I've never seen a browser suggest to
>>> logout/relog
>>> upon a 403. Also, since browsers don't offer the possibility to logout in
>>> general, it's hard to suggest that this possibility should be specifically
>>> offered upon 403. In fact it's the global authentication/authorization
>>> mechanism that should be cleaned up in 2.0 and I don't think it's too hard,
>>> we just have to clearly state that we might break *some* of the 1.1
>>> assumptions.
>>> ...
>>
>> If browsers had an API for logging off, servers could send a 403
>> response page *doing* the log off. Wouldn't that be sufficient?
>
> In my opinion, 403 is an authorization issue, and it can come from
> the user attempting to perform an unauthorized operation or just
> that the lack of authorization requires a re-login. Only the user
> can decide. So I think that the 403 response shouldn't cause the
> logout to happen, but just make the browser ask the user if he
> prefers to log out or to continue normal browsing. A "log off"
> button on the top right corner would definitely help. Users could
> take the advice from the text response accompanying the 403 to
> decide whether they need to log off and log in as another user
> or if they prefer to click the "back" button and ignore the error.
>
> 403 is quite a common error where WAF products are deployed, and it
> would have a disastrous effect if it would cause an automatic logout.

That's why I suggested that the server decides by including the 
necessary client side JS code...

> That said, I totally agree with you that if we could get the browsers
> include the logout method, we could start from a cleaner ground to
> propose more reliable and user-friendly solutions even in 1.1. Maybe
> we should consider that this feature exists and see what we can build
> based on that assumption ?

Maybe.

My impression is that every time this topic comes up people compile a 
large list of things-that-absolutely-need-to-be-done, and in the end 
nothing ever happens because that list is too long, and there's 
disagreement what should be on the list.

I think there's rough consensus that to make HTTP authentication work 
better in practice, servers need to be able to logout the user. As far 
as I can tell, a straightforward way to do so is to have a browser API 
for that. It's a shame there's no progress on that.

Best regards, Julian

Received on Wednesday, 22 February 2012 13:38:31 UTC