Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 01.03.2012 09:14, Adrien de Croy wrote:
> On 1/03/2012 8:32 a.m., Henrik Nordström wrote:
>> ons 2012-02-22 klockan 15:02 +0100 skrev Willy Tarreau:
>> logoff is mostly in the realm of human interaction, so javascript 
>> could
>> do it nicely imho. Document.logoff() or similar.
>>
>> Not sure there even is a demand for protocol level indicated logoff
>> where the server at HTTP level tell the client to invalidate the 
>> cached
>> credentials.
>
> Actually I would like to see this.
>
> For example product admin back-ends which use http auth. We'd like to
> be able to time out a user so someone else coming along (if the first
> user didn't close the browser) doesn't gain access to things they
> shouldn't.

Timeout is only needed in the protocol if the server and client are not 
timing out credentials. bringing up the question of why do the client 
and server not implement a timeout already? it is point-blank more 
secure.

You place a caveat on having not closed the browser. For good reason. 
The protocol mandating that the client close the browser is useless. Yet 
a protocol timeout would be a mandated equivalent of closing the 
browser. TCP has this same problem and added TIME_WAIT to resolve it. We 
are today faced with many complex features of HTTP/1.1 being designed 
explicitly to avoid the problems it creates (pipelines, keep-alive, 
chunking, tunnels). Lets not inflict mandatory authentication TIME_WAITs 
on users when a server makes a mistake and terminates early.

AYJ

Received on Wednesday, 29 February 2012 22:52:10 UTC