W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: WebID-TLS lacks server logout

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 18 May 2014 10:30:22 +0200
Message-ID: <CAKaEYh+aLj3j76SSoH-UEqTR1wprGGrYnAxJRAUSRpcssAqdqA@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-webid@w3.org" <public-webid@w3.org>
On 18 May 2014 10:07, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:

> On 2014-05-18 09:59, Melvin Carvalho wrote:
> >
> >     I don't disagree but banks do not like the idea that you may be
> logged in for
> >     days without doing anything.  It all goes back to the fact that
> HTTPS CCA is
> >     incompatible with established methods for maintaining web sessions.
> >
> >
> > Surely they can just break the session on the server side, then.  Like
> they do already with cookies?
>
> No, there is no such function in for example Java Servlets.
>
> HttpSession.invalidate() only works for cookie or URL-based sessions:
>
>
> http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html#invalidate()
>

Henry is the expert on this, I dont think he used HttpSession.invalidate()
see:

http://lists.w3.org/Archives/Public/public-xg-webid/2011Oct/0039.html


>
> Anders
>
>
Received on Sunday, 18 May 2014 08:30:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC