<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
One such solution for the authentication issue is at the following
location:<br>
<br>
<a href="http://www.w3.org/TR/1999/NOTE-authentform-19990203">http://www.w3.org/TR/1999/NOTE-authentform-19990203</a><br>
<br>
Perhaps this could be used in full or at least as a basis for a method
to provide a "log out" feature.<br>
<br>
Greg<br>
<br>
<br>
Greg Kilwein wrote:
<blockquote cite="mid41C31ACC.9050102@fbsdata.com" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Related to this, it would be nice to have a standard, simple way for a
browser session to "log out" of its HTTP authentication. Currently
with some UAs, a user must to close all of his or her browser windows
and/or tabs in order to be able to log in as someone else. Granted,
there are ways to trick the browser into popping up the authentication
box, but it would be nice to have a standard "log out" feature.<br>
<br>
The way HTTP authentication is implemented now assumes that the user
will never want to change usernames. This is simply not true in every
case, even if it is for the majority of cases.<br>
<br>
I'm not sure of the best way to accomplish this log out functionality
(headers? HTML tags?) but this certainly would be a helpful feature in
the web application that I develop. Has anyone else experienced a
situation in which this feature would be useful, or have any ideas
about how it could be accomplished that would be within the scope of
this group?<br>
<br>
Greg<br>
<br>
<br>
Ian Hickson wrote:
<blockquote
cite="midPine.LNX.4.61.0412170455270.19348@dhalsim.dreamhost.com"
type="cite">
<pre wrap="">On Fri, 17 Dec 2004, Matthew Thomas wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Future browsers could, instead of displaying an alert for HTTP
authentication, provide the authentication UI in a panel at the top of
the non-authenticated page (fixing annoying modality issues in the
process). That wouldn't require any change to HTTP authentication
either.
</pre>
</blockquote>
<pre wrap=""><!---->
A very interesting idea. The problem with that is that if you show the
401 page at the moment, you'll get something like:
401 UNAUTHORIZED
YOU DO NOT HAVE THE PROPER PERMISSIONS
___________________________________________________________
Username: [_____] Password: [_______] (Login) [X]
...whenever you reach an HTTP-protected page, which is suboptimal at
best.
We could get around that by saying that you can include
WWW-Authenticate headers with 200 OK responses as well (nothing in
HTTP seems to say you can't), and that if you do, then the bar is
shown as above ("interactive user agents should provide a non-modal
authentication interface"). Then, if you've already sent your
credentials and you get a 401, then you get the 401 page and the bar,
instead of the modal dialog.
</pre>
</blockquote>
</blockquote>
</body>
</html>