W3C home > Mailing lists > Public > public-webid@w3.org > May 2014

Re: WebID-TLS lacks server logout

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 18 May 2014 11:08:35 +0200
Message-ID: <CAKaEYh+2weXQx5+XGeSo-HGTDsR0=GUzYe903_OHbiSHYwNtLQ@mail.gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: "public-webid@w3.org" <public-webid@w3.org>
On 18 May 2014 10:52, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:

> On 2014-05-18 10:30, Melvin Carvalho wrote:
> >
> >
> >
> > On 18 May 2014 10:07, Anders Rundgren <anders.rundgren.net@gmail.com<mailto:
> anders.rundgren.net@gmail.com>> wrote:
> >
> >     On 2014-05-18 09:59, Melvin Carvalho wrote:
> >     >
> >     >     I don't disagree but banks do not like the idea that you may
> be logged in for
> >     >     days without doing anything.  It all goes back to the fact
> that HTTPS CCA is
> >     >     incompatible with established methods for maintaining web
> sessions.
> >     >
> >     >
> >     > Surely they can just break the session on the server side, then.
>  Like they do already with cookies?
> >
> >     No, there is no such function in for example Java Servlets.
> >
> >     HttpSession.invalidate() only works for cookie or URL-based sessions:
> >
> >
> http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html#invalidate()
> >
> >
> > Henry is the expert on this, I dont think he used
> HttpSession.invalidate() see:
> >
> > http://lists.w3.org/Archives/Public/public-xg-webid/2011Oct/0039.html
>
> Doesn't the browser vendor response to that
>
> http://lists.w3.org/Archives/Public/public-xg-webid/2011Oct/0056.html
>
> indicate that the WebID group is on an already failed mission?
>

Again you are conflating WebID and WebID + TLS.

If you use the correct terminology when saying "fail" (what exactly has
failed in your eyes?) it might be more constructive.


>
>   "The use of separate domains is recommended so that you can have one
> domain
>    never request for the certificate (the "browse" site), and the other
>    domain always request & require a certificate (the "login" site)"
>
> This is a very clumsy solution but this is all we got.  I can hardly
> see this becoming a de-facto standard.  U2F doesn't come with a "kludge".
>

I could not comment on whether this is "all we've got" or not.  I'm not a
java TLS expert.

However, this is a common pattern on the web.

You sign in via sso.example.com or login.example.com and browse at
www.example.com

I see it all over the place


>
> Anders
>
> >
> >
> >
> >     Anders
> >
> >
>
>
Received on Sunday, 18 May 2014 09:09:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:05:55 UTC