- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Thu, 01 Mar 2012 00:04:49 +0100
- To: Adrien de Croy <adrien@qbik.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
tor 2012-03-01 klockan 09:14 +1300 skrev Adrien de Croy: > > Not sure there even is a demand for protocol level indicated logoff > > where the server at HTTP level tell the client to invalidate the cached > > credentials. > > Actually I would like to see this. > > For example product admin back-ends which use http auth. We'd like to be > able to time out a user so someone else coming along (if the first user > didn't close the browser) doesn't gain access to things they shouldn't. Yes. Applications need the ability to time out sessions. Which begs the question, is that auth framework or scheme? digest auth can already be used in this manner by tracking server nonce(s) or opaque, and forcing a 401 stale=false response if the session have been timed out on the server side. Regards Henrik
Received on Wednesday, 29 February 2012 23:05:18 UTC