Add timeouts for security to HTML

I have a proposal for a feature to add to HTML; my apologies if it has
been proposed before:

Many sites have incorporated authentication mechanisms to guard clients'
private data.  The servers also time out client sessions to prevent (in
theory) the wrong people from using a client's browser session to access
private data.  Unfortunately, this doesn't data on the screen or remove
data from the client's cache.

I suggest an HTML tag that specifies when an object should "timeout":
the browser can "gray out" the classified object when the specified
amount of time has passed since the page was loaded from the server.
Alternately, the server could specify and expiration date for the
object.  The browser should also gray out classified objects on pages in

I'm not sure if such a scheme would be accepted as a feature or an
annoyance, but it should improve security.  Of course, this requires
that classified data be encrypted when stored on disk (and possibly in
memory as well).  Unfortunately, I'm not familiar enough with XHTML to
suggest a syntax, but it may be possible to use its event model to
schedule timeouts.

I'd appreciate any and all comments, and please let me know if this has
been suggested before (I checked the archives and didn;t find much).

--Sameer Ajmani
MIT Lab for Com Sci

Received on Wednesday, 19 April 2000 16:30:39 UTC