W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2004

[whatwg] connecting usernames and passwords

From: Greg Kilwein <gkilwein@fbsdata.com>
Date: Fri, 17 Dec 2004 11:43:41 -0600
Message-ID: <41C31ACC.9050102@fbsdata.com>
Related to this, it would be nice to have a standard, simple way for a 
browser session to "log out" of its HTTP authentication.  Currently with 
some UAs, a user must to close all of his or her browser windows and/or 
tabs in order to be able to log in as someone else.  Granted, there are 
ways to trick the browser into popping up the authentication box, but it 
would be nice to have a standard "log out" feature.

The way HTTP authentication is implemented now assumes that the user 
will never want to change usernames.  This is simply not true in every 
case, even if it is for the majority of cases.

I'm not sure of the best way to accomplish this log out functionality 
(headers? HTML tags?) but this certainly would be a helpful feature in 
the web application that I develop.  Has anyone else experienced a 
situation in which this feature would be useful, or have any ideas about 
how it could be accomplished that would be within the scope of this group?

Greg


Ian Hickson wrote:

>On Fri, 17 Dec 2004, Matthew Thomas wrote:
>  
>
>>Future browsers could, instead of displaying an alert for HTTP 
>>authentication, provide the authentication UI in a panel at the top of 
>>the non-authenticated page (fixing annoying modality issues in the 
>>process). That wouldn't require any change to HTTP authentication 
>>either.
>>    
>>
>
>A very interesting idea. The problem with that is that if you show the
>401 page at the moment, you'll get something like:
>
>    401 UNAUTHORIZED
>
>    YOU DO NOT HAVE THE PROPER PERMISSIONS
>
>
>
>   ___________________________________________________________
>    Username: [_____]  Password: [_______]   (Login)      [X]
>
>...whenever you reach an HTTP-protected page, which is suboptimal at
>best.
>
>We could get around that by saying that you can include
>WWW-Authenticate headers with 200 OK responses as well (nothing in
>HTTP seems to say you can't), and that if you do, then the bar is
>shown as above ("interactive user agents should provide a non-modal
>authentication interface"). Then, if you've already sent your
>credentials and you get a 401, then you get the 401 page and the bar,
>instead of the modal dialog.
>
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20041217/12a34869/attachment.htm>
Received on Friday, 17 December 2004 09:43:41 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:38 UTC