W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: WebID-TLS lacks server logout

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 18 May 2014 10:07:28 +0200
Message-ID: <53786A40.6070009@gmail.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>
CC: "public-webid@w3.org" <public-webid@w3.org>
On 2014-05-18 09:59, Melvin Carvalho wrote:
> 
>     I don't disagree but banks do not like the idea that you may be logged in for
>     days without doing anything.  It all goes back to the fact that HTTPS CCA is
>     incompatible with established methods for maintaining web sessions.
> 
> 
> Surely they can just break the session on the server side, then.  Like they do already with cookies?

No, there is no such function in for example Java Servlets.

HttpSession.invalidate() only works for cookie or URL-based sessions:

http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html#invalidate()

Anders
Received on Sunday, 18 May 2014 08:08:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC