ISSUE-58: Login/Logout behavior
logout
Login/Logout behavior
- State:
- OPEN
- Product:
- User Interface/Browsers
- Raised by:
- Henry Story
- Opened on:
- 2011-09-15
- Description:
- The WebID protocol relies on TLS. There are a number of issues relating to logging in and logging out of TLS that could be improved, at the HTTP, TLS or browser level. We need to gather all the knowledge accumulated on this topic into one document for the final report.
Some logout issues:
- logout using TLS exceptions is not implemented in any browser
- a javascript api works but only for IE and Firefox
- HTTP logout headers could be developed to move this behaviour to the HTTP layer
- most browsers don't show the users' identity in the browser (that would allow the user to logout)
Login issues:
for a site that is fully behind https one does not want the (human) user to come to a site and be asked for a TLS certificate before he even sees the site. A human user should be redirected to a site explaining why his identity is requested. But a robot arguably should be asked for his certificate immediately. There are a number of solutions to this, they should be described. - Related Actions Items:
- No related actions
- Related emails:
- Re: TLS session renegotiation in java (from henry.story@bblfish.net on 2011-10-11)
- Re: www-authenticate challenge in case of http 401 (from henry.story@bblfish.net on 2011-09-15)
- WebID-ISSUE-58 (logout): Login/Logout behavior [User Interface/Browsers] (from sysbot+tracker@w3.org on 2011-09-15)
Related notes:
We have been working on this issue for 3 months now, and have in fact covered some of it in our Identity in the Browser paper
http://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_22/webid.html
So I am opening it now. We should have opened it a long time ago.
Bruno Harbulot suggested an important idea a few years ago of developing an HTTP header for this
http://www6.ietf.org/mail-archive/web/tls/current/msg05589.html
Display change log