- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Thu, 01 Mar 2012 11:51:43 +1300
- To: <ietf-http-wg@w3.org>
On 01.03.2012 09:14, Adrien de Croy wrote: > On 1/03/2012 8:32 a.m., Henrik Nordström wrote: >> ons 2012-02-22 klockan 15:02 +0100 skrev Willy Tarreau: >> logoff is mostly in the realm of human interaction, so javascript >> could >> do it nicely imho. Document.logoff() or similar. >> >> Not sure there even is a demand for protocol level indicated logoff >> where the server at HTTP level tell the client to invalidate the >> cached >> credentials. > > Actually I would like to see this. > > For example product admin back-ends which use http auth. We'd like to > be able to time out a user so someone else coming along (if the first > user didn't close the browser) doesn't gain access to things they > shouldn't. Timeout is only needed in the protocol if the server and client are not timing out credentials. bringing up the question of why do the client and server not implement a timeout already? it is point-blank more secure. You place a caveat on having not closed the browser. For good reason. The protocol mandating that the client close the browser is useless. Yet a protocol timeout would be a mandated equivalent of closing the browser. TCP has this same problem and added TIME_WAIT to resolve it. We are today faced with many complex features of HTTP/1.1 being designed explicitly to avoid the problems it creates (pipelines, keep-alive, chunking, tunnels). Lets not inflict mandatory authentication TIME_WAITs on users when a server makes a mistake and terminates early. AYJ
Received on Wednesday, 29 February 2012 22:52:10 UTC