- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Thu, 01 Mar 2012 13:19:30 +1300
- To: <ietf-http-wg@w3.org>
On 01.03.2012 12:04, Henrik Nordström wrote: > tor 2012-03-01 klockan 09:14 +1300 skrev Adrien de Croy: >> > Not sure there even is a demand for protocol level indicated >> logoff >> > where the server at HTTP level tell the client to invalidate the >> cached >> > credentials. >> >> Actually I would like to see this. >> >> For example product admin back-ends which use http auth. We'd like >> to be >> able to time out a user so someone else coming along (if the first >> user >> didn't close the browser) doesn't gain access to things they >> shouldn't. > > Yes. Applications need the ability to time out sessions. > > Which begs the question, is that auth framework or scheme? > > digest auth can already be used in this manner by tracking server > nonce(s) or opaque, and forcing a 401 stale=false response if the > session have been timed out on the server side. Basic auth can do this in a limited way by using a nonce token instead of a password. The server rejecting with 401 the old "password" after a timeout. Requiring a new random or cyclic one to be sent by the client. AYJ
Received on Thursday, 1 March 2012 00:19:59 UTC