[whatwg] suggestion: LINK element for session termination from S. Mike Dierken on 2005-06-14 (public-whatwg-archive@w3.org from June 2005)

From: S. Mike Dierken <mdierken@hotmail.com>
Date: Mon, 13 Jun 2005 19:41:50 -0700
Message-ID: <BAY101-DAV176F72183E4BA753DC6B0BD8F30@phx.gbl>

A couple notes
 - HTTP doesn't have sessions, that's a fiction that server authors created
to optimize resources by holding onto & later releasing those resources. It
useful to talk about in regards to the application logic, but it's not part
of HTTP.
 - different applications have different concepts of being logged in. Some
may allow a user to login under different 'roles', some may allow them to
login to different areas of the site, etc. Any UI element embedded in the
browser chrome wouldn't work for many apps - it really should be flexible
enough for a page to have custom UI.
 - if the browser had a button or variant of an html form that cleared the
user's credentials (username/password, certificate, etc) then that action
would not be reported to the server. Would this fit the use case that server
developers have? My guess is that they would like to know when a user 'logs
out'. Which means that the browser sends a message to the server. This
message likely should be required to come from an authenticated user... else
the bad guys could log people out by guessing the right message. If the
client request is followed by a server response that clears out the
credentials, I think that lets developers have various concepts of 'logged
in' and 'logged out', implement it however they wish in both UI and server
code, and integrates with the protocol at some level.

----- Original Message ----- 
From: "Charles Iliya Krempeaux" <supercanadian@gmail.com>
To: "WHAT Working Group Mailing List" <whatwg at whatwg.org>
Sent: Monday, June 13, 2005 6:17 PM
Subject: Re: [whatwg] suggestion: LINK element for session termination

Hello,

On 6/13/05, Hallvord R M Steen <hallvors at gmail.com> wrote:
> On 6/13/05, Charles Iliya Krempeaux <supercanadian at gmail.com> wrote:
>
> > Having a way to "logout" the user from an HTTP authentication session
> > is very desirable.
>
> Yes, this has been discussed before and the response was that it is a
> browser UI issue.

I agree with you in that this is (partially) a problem with the
browser.  But what if the browsers had a feature where the user could
"logout" of a website (using HTTP authentication).  (In other words,
what if the browser had a button or something that would "clear out"
the "username" and "password" it is sending for a web site.)  Would
that be enough?

I don't think it would be enough.  The reasons are....  #1: Web
developers will want to integrate the logout button into their "web
pages" or "web applications".  #2: Web developers will want to be able
to "logout" via JavaScript.  #3: Web developers will probably want to
be able to control if the "authentication pop-up" (the pop-up window
you type your username and password into) comes up or not.

At the very least there should be a JavaScript API that can let you
"logout".  (And be able to detect if you are "logged in" or not.)

Received on Monday, 13 June 2005 19:41:50 UTC