Ignore:
Timestamp:
15/09/13 00:56:07 (7 years ago)
Author:
fielding@…
Message:

(editorial) replace obsolete text on lack of HTTP support for logout

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.xml

    r2398 r2399  
    689689<t>
    690690   Existing HTTP clients and user agents typically retain authentication
    691    information indefinitely. HTTP/1.1 does not provide a method for a
    692    server to direct clients to discard these cached credentials. This is
    693    a significant defect that requires further extensions to HTTP.
     691   information indefinitely. HTTP does not provide a mechanism for the
     692   origin server to direct clients to discard these cached credentials, since
     693   the protocol has no awareness of how credentials are obtained or managed
     694   by the user agent. The mechanisms for expiring or revoking credentials can
     695   be specified as part of an authentication scheme definition.
     696</t>
     697<t>
    694698   Circumstances under which credential caching can interfere with the
    695699   application's security model include but are not limited to:
     
    706710</t>
    707711<t>
    708    This is currently under separate study. There are a number of work-arounds
    709    to parts of this problem, and we encourage the use of
    710    password protection in screen savers, idle time-outs, and other
    711    methods that mitigate the security problems inherent in this
    712    problem. In particular, user agents that cache credentials are
    713    encouraged to provide a readily accessible mechanism for discarding
    714    cached credentials under user control.
     712   User agents that cache credentials are encouraged to provide a readily
     713   accessible mechanism for discarding cached credentials under user control.
    715714</t>
    716715</section>
Note: See TracChangeset for help on using the changeset viewer.