Re: SSL Logout possibility in Javascript

On 27 Jul 2011, at 18:46, Peter Williams wrote:

> 
>  And, if you have multiple tabs open, or multiple browser instances open, what happens?

I have not tried. If logout happens across all of them simultaneously that would be better than no logout at all.

>  
> And, what happens for each browser vendor?

Well I gave a good list below. Can you try some of the browsers on windows, and tell us what your experience is? 

>  
> (note IE and mozilla have VERY different models of SSL state and cookie management, across tabs and instances).

The world is a messy place.

>  
> If  instance of a session "duplicated" by ctrl-A at a second instance then the second browser instance engages in multuple new connections, spawned off that DUPLICATED SSL session, what happens when one does windows close in the first browser instance, on the pre-duplicated SSL Session?

Good question. Try it out.

>  
> Try to do the harder use cases, not the trivial ones. ONe has to study tghe nature of https, and the way the SSL session/connection works - when supproting browser-specific hypermedia, auto-rendered img tags on https URIs under DOM processing, the javascript/css pipeline etc

Engineering is about cutting problems into simple pieces and solving them one by one. 

>  
>  
> From: henry.story@bblfish.net
> Date: Wed, 27 Jul 2011 18:15:08 +0200
> CC: yngve@opera.com
> To: public-xg-webid@w3.org; public-identity@w3.org; tls@ietf.org
> Subject: Re: SSL Logout possibility in Javascript
> 
> I have just played around with the javascript login/logout possibilities mentioned by Anders Rundgren. The javascript I am using is that the end. Note that I am using xhtml currently, so that may have its own side effects - i.e., perhaps things work better in plain html... I am trying to see if login also works with javascript. That would be very useful, because people can easily click on the cancel button of a certificate, and the browser then remembers that decision. So I am looking to see if one can then force a login again...
> 
> Here are some temporary conclusions with browsers I tried on OSX
> 
> Firefox 5.0.1
> 
>  - logout works
>  - login works if clicking the cancel button. One has to go to a new web page though.
> 
> Safari 5.1
> 
>   - logout does not work with javascript
>    (but Safari does recognise TLS error codes sent, so that those can be used to logout - I have not tested this version though)
> 
> Chrome 13.0.782.99
> 
>   - logout does not work and neither does login
> 
> Opera 11.50
>  
>   - login, logout: does not recognise the window.crypto object
>  
> 
> So that is good news. I guess that means we have Internet Explorer and Firefox we can easily 
> logout with. Being able to log-in again as with Firefox in case a mistake is made is also very helpful.
> Are there some other tricks one can use perhaps?
> 
> //this is for xhtml
> //these functions are described here http://html5.creation.net/webcrypto-api/
> <script language="JavaScript" type="text/javascript">
>  <![CDATA[
>      function logout() {
>      if (document.all == null) // FF, Opera, etc
>         {      
>            alert('logout in ff,opera...')
>            if (window.crypto) window.crypto.logout();
>            else alert('no window.crypto')
>         }      
>       else // MSIE 6+
>         {      
>            alert('logout in msie') 
>            document.execCommand('ClearAuthenticationCache');
>         };     
>      }
>      function login() {
>      if (document.all == null) // FF, Opera, etc
>         {      
>            alert('login in ff,opera...')
>            if (window.crypto) window.crypto.logout();
>             else alert('no window.crypto')
>         }      
>       else // MSIE 6+
>         {      
>            alert('login in msie') 
>            document.execCommand('ClearAuthenticationCache');
>         };     
>      }
>  ]]>
>  </script>
> 
> Social Web Architect
> http://bblfish.net/

Social Web Architect
http://bblfish.net/

Received on Wednesday, 27 July 2011 16:58:05 UTC