- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Mon, 12 May 2014 09:32:05 +0200
- To: "henry.story@bblfish.net" <henry.story@bblfish.net>
- CC: "public-webid@w3.org" <public-webid@w3.org>
On 2014-05-07 11:48, henry.story@bblfish.net wrote: > On 7 May 2014, at 08:42, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > >> I don't claim knowing everything so please bear with me when I ask a simple question :-) >> >> Using JBoss and Tomcat (java-based) servers an HTTPS Client Certificate Authenticated >> session created from a browser *never terminates* regardless of session time-out settings >> because the TLS session has no link into the Java Servlet web session framework. >> >> Due to this neither manual logout or automatic logout work in such setups. >> >> Q1: how do other web-servers enforce logout from the server-side? >> Q2: if other web-servers actually can do this, does this require TCP terminate? >> Q3: if other web-servers actually can do this, logout works formost/all browsers without specific measures? >> > As far as I can tell a server cannot force logout of the client, since the browsers tend to resend the same certificate > to the server. You can only do this with Firefox which has a Javascript logout call currently. In my view login/logout > has to be handled by the client in the chrome. This is a unique problem for HTTPS Client Certificate Authentication; no other authentication method needs modifications of the chrome in order to perform logout or requires the client to support session timeout policies. I can though imagine a chrome-based identity context but it should be optional and universal. It should probably also address logout to *all* enabled sites that you have encountered during your session on the web. Anders > > This has been identitified as a key improvement browser manufacturers need to make for privacy reasons. > > Henry > > >> Anders >> > Social Web Architect > http://bblfish.net/ >
Received on Monday, 12 May 2014 07:32:42 UTC