[Previous] [Next] [Index]
[Thread]
Re: User Auth. : Spyglass proposal
On Tue, 26 Mar 1996, Jeff Hostetler wrote:
> I've also been experimenting with a server version. An HTTP header
> of the form:
>
> FlushAuthenticationCache: Basic realm=foobar
>
> Which lets the server ask the browser that the cache for the given
> realm and authentication method.
In order to provide a solid, robust application platform, there is
more to worry about than just the authentication information.
For example, the Flush* should probably provide for deleting all
pages from the cache, history buffer, etc, which were delivered
in response to authenticated requests. Leave the user with the
initial page from which then logged in.
I think it would be difficult for a server to decide when to
flush authentication for many applications since they may not
have a natural point of closure. Even order entry applications
may find it useful to provide the user with the ability to
walk the history back to review what they had done. Many applications
would be best designed to allow the user to walk back and continue
but if authentication were flushed w/o an explict logout, this might
be quite confusing to users. The real difficulty here is that
clients call servers and there is no mechanism in the protcol for
the server to 'call' the client. Hence, the server must decide for
each response if that will be the last. Often not easy to determine.
A commercial CGI server product I authored maintains a pseudo session
(pre-cookies et al) and tracks the most recent user interaction. It
will automatically require a repeated login after a configuration
specified interval of inactivity and after a longer interval simply
discard the session requiring re-login.
David Morris
References: