- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 22 Feb 2012 15:02:49 +0100
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Robert Collins <robertc@squid-cache.org>, Barry Leiba <barryleiba@computer.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Feb 22, 2012 at 02:37:44PM +0100, Julian Reschke wrote: > >403 is quite a common error where WAF products are deployed, and it > >would have a disastrous effect if it would cause an automatic logout. > > That's why I suggested that the server decides by including the > necessary client side JS code... I think that sometimes the server wants to cause the logout (eg: application status code) and sometimes the user wants to log off. Many web developers working in environments where basic auth is in use are used to open/close their browser all the day due to the lack of logoff button. > >That said, I totally agree with you that if we could get the browsers > >include the logout method, we could start from a cleaner ground to > >propose more reliable and user-friendly solutions even in 1.1. Maybe > >we should consider that this feature exists and see what we can build > >based on that assumption ? > > Maybe. > > My impression is that every time this topic comes up people compile a > large list of things-that-absolutely-need-to-be-done, and in the end > nothing ever happens because that list is too long, and there's > disagreement what should be on the list. I'm not surprized. In fact, I tend to prefer basic building blocks on top of which other things may be build, but right now it's obvious that some such blocks are missing. > I think there's rough consensus that to make HTTP authentication work > better in practice, servers need to be able to logout the user. As far > as I can tell, a straightforward way to do so is to have a browser API > for that. It's a shame there's no progress on that. If we had the browsers provide the logoff button, then the current 403 is already enough for user-initiated action. If we want the server to force a logoff, we possibly need to define how this is supposed to be done. Note that in this case it's a change of authentication, which is different from a lack of authorization (eg: return 401 with an empty www-authenticate response). I do think that all of that might be defined in 1.1 without touching the in-browser API if browser vendors collaborate ; we just have to define how it should work and still be compatible with non-compliant browsers (possibly that returning 401 without a www-authenticate header has no negative effect on older browsers, I'm just suggesting). It would be nice to have their opinion here. Patrick, Anne, any idea ? We also need to keep in mind there are non-browser UAs. Maybe Daniel has some useful ideas based on how curl handles 401. Regards, Willy
Received on Wednesday, 22 February 2012 14:03:30 UTC