Re: Authentication over HTTP

On Wed, Jul 17, 2013 at 1:50 AM, Amos Jeffries <squid3@treenet.co.nz> wrote:
> On 17/07/2013 6:33 p.m., David Morris wrote:
>>   Oh, and no
>> logout mechanism to cancel browser caching of credentials?
>
>
> In the stateless HTTP "login" is done by delivering credentials or
> requesting them. But how *do* you "logout" in a stateless protocol? Nobody
> (self included) has produced anything like a good proposal spec for
> resolving that problem AFAIS.

HTTP is stateless.  The application protocol layered above HTTP
needn't be, and often isn't.  Session state is almost always desired,
though often with the client storing the state on behalf of the server
(via, e.g., encrypted state cookies, like TLS session tickets) though
there are trade-offs w.r.t. replay protection.

Nico
--

Received on Wednesday, 17 July 2013 17:58:17 UTC