- From: S. Mike Dierken <mdierken@hotmail.com>
- Date: Mon, 13 Jun 2005 19:41:50 -0700
A couple notes - HTTP doesn't have sessions, that's a fiction that server authors created to optimize resources by holding onto & later releasing those resources. It useful to talk about in regards to the application logic, but it's not part of HTTP. - different applications have different concepts of being logged in. Some may allow a user to login under different 'roles', some may allow them to login to different areas of the site, etc. Any UI element embedded in the browser chrome wouldn't work for many apps - it really should be flexible enough for a page to have custom UI. - if the browser had a button or variant of an html form that cleared the user's credentials (username/password, certificate, etc) then that action would not be reported to the server. Would this fit the use case that server developers have? My guess is that they would like to know when a user 'logs out'. Which means that the browser sends a message to the server. This message likely should be required to come from an authenticated user... else the bad guys could log people out by guessing the right message. If the client request is followed by a server response that clears out the credentials, I think that lets developers have various concepts of 'logged in' and 'logged out', implement it however they wish in both UI and server code, and integrates with the protocol at some level. ----- Original Message ----- From: "Charles Iliya Krempeaux" <supercanadian@gmail.com> To: "WHAT Working Group Mailing List" <whatwg at whatwg.org> Sent: Monday, June 13, 2005 6:17 PM Subject: Re: [whatwg] suggestion: LINK element for session termination Hello, On 6/13/05, Hallvord R M Steen <hallvors at gmail.com> wrote: > On 6/13/05, Charles Iliya Krempeaux <supercanadian at gmail.com> wrote: > > > Having a way to "logout" the user from an HTTP authentication session > > is very desirable. > > Yes, this has been discussed before and the response was that it is a > browser UI issue. I agree with you in that this is (partially) a problem with the browser. But what if the browsers had a feature where the user could "logout" of a website (using HTTP authentication). (In other words, what if the browser had a button or something that would "clear out" the "username" and "password" it is sending for a web site.) Would that be enough? I don't think it would be enough. The reasons are.... #1: Web developers will want to integrate the logout button into their "web pages" or "web applications". #2: Web developers will want to be able to "logout" via JavaScript. #3: Web developers will probably want to be able to control if the "authentication pop-up" (the pop-up window you type your username and password into) comes up or not. At the very least there should be a JavaScript API that can let you "logout". (And be able to detect if you are "logged in" or not.)
Received on Monday, 13 June 2005 19:41:50 UTC