[whatwg] connecting usernames and passwords

Greg Kilwein gkilwein at fbsdata.com
Fri Dec 17 14:28:40 PST 2004

One such solution for the authentication issue is at the following location:


Perhaps this could be used in full or at least as a basis for a method 
to provide a "log out" feature.


Greg Kilwein wrote:

> Related to this, it would be nice to have a standard, simple way for a 
> browser session to "log out" of its HTTP authentication.  Currently 
> with some UAs, a user must to close all of his or her browser windows 
> and/or tabs in order to be able to log in as someone else.  Granted, 
> there are ways to trick the browser into popping up the authentication 
> box, but it would be nice to have a standard "log out" feature.
> The way HTTP authentication is implemented now assumes that the user 
> will never want to change usernames.  This is simply not true in every 
> case, even if it is for the majority of cases.
> I'm not sure of the best way to accomplish this log out functionality 
> (headers? HTML tags?) but this certainly would be a helpful feature in 
> the web application that I develop.  Has anyone else experienced a 
> situation in which this feature would be useful, or have any ideas 
> about how it could be accomplished that would be within the scope of 
> this group?
> Greg
> Ian Hickson wrote:
>>On Fri, 17 Dec 2004, Matthew Thomas wrote:
>>>Future browsers could, instead of displaying an alert for HTTP 
>>>authentication, provide the authentication UI in a panel at the top of 
>>>the non-authenticated page (fixing annoying modality issues in the 
>>>process). That wouldn't require any change to HTTP authentication 
>>A very interesting idea. The problem with that is that if you show the
>>401 page at the moment, you'll get something like:
>>   ___________________________________________________________
>>    Username: [_____]  Password: [_______]   (Login)      [X]
>>...whenever you reach an HTTP-protected page, which is suboptimal at
>>We could get around that by saying that you can include
>>WWW-Authenticate headers with 200 OK responses as well (nothing in
>>HTTP seems to say you can't), and that if you do, then the bar is
>>shown as above ("interactive user agents should provide a non-modal
>>authentication interface"). Then, if you've already sent your
>>credentials and you get a 401, then you get the 401 page and the bar,
>>instead of the modal dialog.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20041217/0e06c2d1/attachment-0001.htm>

More information about the whatwg mailing list