Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis) from Adrien de Croy on 2012-02-29 (ietf-http-wg@w3.org from January to March 2012)

From: Adrien de Croy <adrien@qbik.com>
Date: Thu, 01 Mar 2012 12:02:54 +1300
To: Amos Jeffries <squid3@treenet.co.nz>
CC: ietf-http-wg@w3.org
Message-ID: <4F4EAE9E.8010208@qbik.com>

On 1/03/2012 11:51 a.m., Amos Jeffries wrote:
> On 01.03.2012 09:14, Adrien de Croy wrote:
>> On 1/03/2012 8:32 a.m., Henrik Nordström wrote:
>>> ons 2012-02-22 klockan 15:02 +0100 skrev Willy Tarreau:
>>> logoff is mostly in the realm of human interaction, so javascript could
>>> do it nicely imho. Document.logoff() or similar.
>>>
>>> Not sure there even is a demand for protocol level indicated logoff
>>> where the server at HTTP level tell the client to invalidate the cached
>>> credentials.
>>
>> Actually I would like to see this.
>>
>> For example product admin back-ends which use http auth. We'd like to
>> be able to time out a user so someone else coming along (if the first
>> user didn't close the browser) doesn't gain access to things they
>> shouldn't.
>
> Timeout is only needed in the protocol if the server and client are 
> not timing out credentials. bringing up the question of why do the 
> client and server not implement a timeout already? it is point-blank 
> more secure.

sure, I presume you mean by timeout in the credentials, timeout of some 
token associated with the creds, rather than invalidating the password.

there's no room for this in Basic or NTLM.  Not sure about Digest.  
That's why I proposed Kerberos.

>
> You place a caveat on having not closed the browser. For good reason. 
> The protocol mandating that the client close the browser is useless. 
> Yet a protocol timeout would be a mandated equivalent of closing the 
> browser. TCP has this same problem and added TIME_WAIT to resolve it. 
> We are today faced with many complex features of HTTP/1.1 being 
> designed explicitly to avoid the problems it creates (pipelines, 
> keep-alive, chunking, tunnels). Lets not inflict mandatory 
> authentication TIME_WAITs on users when a server makes a mistake and 
> terminates early.

Don't follow you here.  Server can't rely on client to do anything it's 
told.  It has to manage resources, therefore it has to be allowed to 
timeout connections, auth tokens whatever.

Regards

Adrien

>
> AYJ
>
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 is released! - http://www.wingate.com/getlatest/

Received on Wednesday, 29 February 2012 23:03:22 UTC