[whatwg] Session Management

Roger Hågensen rescator at emsai.net
Wed Mar 2 13:11:48 PST 2011 

On 2011-03-02 18:42, Bjartur Thorlacius wrote:
>>
>>> Just see what happens when users login to a site, then navigate to
>>> another and authenticate to the latter, and then logout from the
>>> latter. In that case, they're still authenticated to the former site.
>>> In theory, this shouldn't be a problem, as users should clear all UA
>>> data before granting anyone else access to the UA data store, but in
>>> ill-managed public terminals, that may not be the case.
>> Yes but do they? Theory is nice but can't a site aid a user in this?
>>
> If neither the sysadmin, nor the user, clear the credentials - who will?
> This specifically is probably the main use case for expiring auth tokens.
>

Three Ways...

Method #1:
Browser timeout. For legacy reasons the browser could default to within 
a sensible min/max timeout.
Once the timeout is triggered, the HTTP Authentication is ended, and the 
the user has to log in again.
Like say maybe 30 minutes to 60 minutes.
This can easily be done right now for all current browsers. No UI 
changes or any real code changes at all.

Note:
Ideally the user should be able to adjust the default timeout within 
some sensible min/max range,
but this would require a UI change/addition.

Method #2:
A second way to "logout" from a HTTP Authentication would be to end the 
HTTP Authentication when the LAST tab or window is closed that is using 
the authentication to that site/directory.

Note:
It's a shame one can not use javascript to let the webdesigner provide a 
button or url with "javascript:window.close()" or similar.
Perhaps a "javascript:crypto.httpauth_closesession()" or similar could 
be added in the future.

Method #3:
The server (or serverside script, like PHP or similar) sends the 
following to the browser:
     header('HTTP/1.0 401 Unauthorized');
     header('WWW-Authenticate: Close realm="My Realm"');
     *PS! the auth stuff is much longer here obviously, this was just to 
show the use of "Close"*

Note:
If Method 1 or 2 is used the browser should probably send the following 
to the server:
     GET /private/index.html HTTP/1.1
     Authorization: Close username="something"
     *PS! the auth stuff is much longer here obviously, this was just to 
show the use of "Close"*


I think that Method 3 is the real key piece here, on it's own it allows 
the server to "timeout" the client/user AND notify the client that this 
has happen.
combined with Method 1 and 2 it is now possible for either the client or 
browser to end the http authentication session and notify each other, 
and let the user know as well.
Method 3 alone would not need a UI change, it would simply instruct the 
browser to clear it's auth session, the page content itself could hold a 
message from the server to the user that they are now logged out.

Explained as easily as possible, the closing is exactly the same as 
serverside "WWW-Authenticate: Digest" and clientside "Authorization: 
Digest" but
instead of the word Digest it is replaced with Close, the rest of the 
auth should otherwise be just like a normal Digest auth to ensure it's 
not a fake close.
just doing "WWW-Authenticate: Close" might be an issue with future 
improvements beyond Digest method, so maybe "WWW-Authenticate: Close 
Digest " would make more sense.
Just avoid calling it "Digest Close" as that could be confused with a 
normal "Digest".
"Close" is just an example, "End" or "Quit" or "Clear" could just as 
well be used, the word doesn't matter, the hint brings from the server 
to the browser is the vital key though.

It is basically the server saying to the browser that "those session 
credentials are no longer valid, please stop spamming me with them" 
*laughs* at which point the browser clears the auth session,
and starts talking to the site with a clean slate again. If something 
like Method 3 was implemented then I'm pretty sure that the devs of 
phpBB, vBulletin and who knows how many CMS devs out there would be 
happy to support this.

Sidesubject:
Hopefully the old WWW-Authenticate: Basic is fully deprecated soon as it 
is no different from plaintext html login forms (almost all forums and 
websites out there that do not use SSL/certificates).
WWW-Authenticate: Digest should be minimum requirement. I'm not sure but 
I believe that Opera did fix some of the issue with Basic being fallen 
back to, no idea how all browsers lay on this currently.
It would be tempting to fix the Basic issue and security "hole" by 
instead changing things so that it's called: "WWW-Authenticate2: Digest" 
and "WWW-Authenticate2: Close Digest" where Basic is not allowed at all,
this would prevent exploits that try to sneak Basic into the header and 
make the browser use plain text instead.

-- 
Roger "Rescator" Hågensen.
Freelancer - http://www.EmSai.net/

More information about the whatwg mailing list