W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: WebID-TLS lacks server logout

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 18 May 2014 10:52:52 +0200
Message-ID: <537874E4.1020108@gmail.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>
CC: "public-webid@w3.org" <public-webid@w3.org>
On 2014-05-18 10:30, Melvin Carvalho wrote:
> 
> 
> 
> On 18 May 2014 10:07, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
> 
>     On 2014-05-18 09:59, Melvin Carvalho wrote:
>     >
>     >     I don't disagree but banks do not like the idea that you may be logged in for
>     >     days without doing anything.  It all goes back to the fact that HTTPS CCA is
>     >     incompatible with established methods for maintaining web sessions.
>     >
>     >
>     > Surely they can just break the session on the server side, then.  Like they do already with cookies?
> 
>     No, there is no such function in for example Java Servlets.
> 
>     HttpSession.invalidate() only works for cookie or URL-based sessions:
> 
>     http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html#invalidate()
> 
> 
> Henry is the expert on this, I dont think he used HttpSession.invalidate() see:
> 
> http://lists.w3.org/Archives/Public/public-xg-webid/2011Oct/0039.html

Doesn't the browser vendor response to that

http://lists.w3.org/Archives/Public/public-xg-webid/2011Oct/0056.html

indicate that the WebID group is on an already failed mission?

  "The use of separate domains is recommended so that you can have one domain
   never request for the certificate (the "browse" site), and the other
   domain always request & require a certificate (the "login" site)"

This is a very clumsy solution but this is all we got.  I can hardly
see this becoming a de-facto standard.  U2F doesn't come with a "kludge".

Anders

>  
> 
> 
>     Anders
> 
> 
Received on Sunday, 18 May 2014 08:53:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC