httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael.Schro...@telekurs.de
Subject Antwort: Re: Docs correction? re Auth
Date Thu, 12 Dec 2002 13:45:50 GMT

Hi Andy,


>>> You create a link to <bogus:bogus@hostname.com/logout.html
>>> or somesuch, and that this effectively resets the password
>>> cache on the browser.
>> I guess I'm not entirely sure what he means, as I'm unable to reproduce
>> his findings. Anyone got any thoughts on this?
> He means: let the browser send wrong credentials, so that the
> server will respond a 401. Many (most?) browsers will forget
> the password for the current realm then.

So if it were a question of the browser to take the initia-
tive in that, then why don't the browser programmers offer
such a thing, if HTTP allows for it being done this way?

The browsers do have a table somewhere in main memory that
contains all the realms they believe to be logged in.
They could just offer some widget to display this table
(maybe not the actual passwords, for security reasons) and
add some "log me of from this one" button to each entry
(or a checkbox to each entry and one button for all),
causing the HTTP request(s) described above to be sent.

And if they do evaluate the realm table like that, they
could also display the name of the realm that a page is
assigned to somewhere on the screen, let's say in the
status line or besides the little key they use for visua-
lizing a SSL transfer ...

Perhaps someone should tell the Mozilla people about this?
It doesn't sound too complicated to have them do some re-
ference implementation.

Anyway, there can be two possible tasks that one might want
to be implemented, and they should not be mixed up:
a) Allow the user to actively log out - this would rather
   be done by a browser widget than by a page content.
   (I consider this a matter of trust, like SSL.)
b) Force the user to be logged out - this would be done
   by the server sending a HTTP-401, if the clients are
   required to interpret it the way they should ... is
   RFC 2616 clear enough about that?



Regards, Michael



Mime
View raw message