Julian Reschke wrote:
And includes the ability for the user to logoff / the server reset the
Is that a protocol problem or a user agent problem?
-- > <http://lists.w3.org/Archives/Public/www-archive/2012Jan/0023.html>
First, its a non-issue with cookie based authentication methods
(server side fancy login forms) but it is by using a cookie condition
can you emulate a "Logoff" concept with HTTP BASIC/DIGEST AUTH due to
the browser current persistent nature to continue reissing
BASIC/DIGEST authenticated credentials until a 403 is issued.
The cookie i.e. "SESSION-OVER" is required to trap/trigger/recognized
when a 403 condition should be used upon subsequent requests. That
will cause the Browser to forget (either full or partially the current
credentials). Depending on the browser, it could mean a lost of
reusing them without typing them until the browser is completely closed.
But without a cookie, there is no logoff button concept with HTTP
AUTH. So the question is does HTTP AUTH requires cookies to work.
Since it does not, if a clearing of the credentials perhaps with a new
40x or redefinition of the existing 40x, is desired, it also has to be
based on not requiring a cookie.
In regards to the generic problem statement Barry stated, sounds to me
that this calls for a persistent IP session level management concept.
A related question is to decide who is going to be asking for the
initial credentials, the browser or a server-side login form concept?
Hector Santos, CTO
Ietf mailing list