Le 30 sept. 2011 à 10:14, Henry Story a écrit : >> From reading this whole thread I understand the following logout mechanism should be as close as possible: >> >> - go back to the site's home (the user can always go back if he wishes) >> - remove cookies for that domain and any transcluded resources' domains >> - remove local storage for the same (JS, flash, ....) >> - remove stored etags >> - remove or at least slightly modify cached entities last-modification dates >> - close all connections > > You forgot: do not send that host your client certificates anymore. (Safari sends those automatically, for example, and I am not exactly sure how you disable it. I think you have to go to the keychain and manually disable the certificate from being sent to a particular host name, but I am not sure.) I personally find this so special that I do not think it is worth mentionning: if you install client certs for a particular host (is it host-directed?) you rarely fear being watched by that host... My guts feeling would be to simply disable the "browser logout" for such a site (Safari should otherwise have a way to "reactivate the certs" which, as you describe, seems not really planned for). paulReceived on Friday, 30 September 2011 08:49:00 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:40 UTC