- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Sun, 18 May 2014 10:52:52 +0200
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- CC: "public-webid@w3.org" <public-webid@w3.org>
On 2014-05-18 10:30, Melvin Carvalho wrote: > > > > On 18 May 2014 10:07, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > On 2014-05-18 09:59, Melvin Carvalho wrote: > > > > I don't disagree but banks do not like the idea that you may be logged in for > > days without doing anything. It all goes back to the fact that HTTPS CCA is > > incompatible with established methods for maintaining web sessions. > > > > > > Surely they can just break the session on the server side, then. Like they do already with cookies? > > No, there is no such function in for example Java Servlets. > > HttpSession.invalidate() only works for cookie or URL-based sessions: > > http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html#invalidate() > > > Henry is the expert on this, I dont think he used HttpSession.invalidate() see: > > http://lists.w3.org/Archives/Public/public-xg-webid/2011Oct/0039.html Doesn't the browser vendor response to that http://lists.w3.org/Archives/Public/public-xg-webid/2011Oct/0056.html indicate that the WebID group is on an already failed mission? "The use of separate domains is recommended so that you can have one domain never request for the certificate (the "browse" site), and the other domain always request & require a certificate (the "login" site)" This is a very clumsy solution but this is all we got. I can hardly see this becoming a de-facto standard. U2F doesn't come with a "kludge". Anders > > > > Anders > >
Received on Sunday, 18 May 2014 08:53:24 UTC