- From: Paul Libbrecht <paul@hoplahup.net>
- Date: Fri, 30 Sep 2011 10:48:19 +0200
- To: Henry Story <henry.story@bblfish.net>, "www-tag@w3.org List" <www-tag@w3.org>
Received on Friday, 30 September 2011 08:49:00 UTC
Le 30 sept. 2011 à 10:14, Henry Story a écrit : >> From reading this whole thread I understand the following logout mechanism should be as close as possible: >> >> - go back to the site's home (the user can always go back if he wishes) >> - remove cookies for that domain and any transcluded resources' domains >> - remove local storage for the same (JS, flash, ....) >> - remove stored etags >> - remove or at least slightly modify cached entities last-modification dates >> - close all connections > > You forgot: do not send that host your client certificates anymore. (Safari sends those automatically, for example, and I am not exactly sure how you disable it. I think you have to go to the keychain and manually disable the certificate from being sent to a particular host name, but I am not sure.) I personally find this so special that I do not think it is worth mentionning: if you install client certs for a particular host (is it host-directed?) you rarely fear being watched by that host... My guts feeling would be to simply disable the "browser logout" for such a site (Safari should otherwise have a way to "reactivate the certs" which, as you describe, seems not really planned for). paul
Received on Friday, 30 September 2011 08:49:00 UTC