If sensible authentication were used...

Posted May 27, 2010 13:57 UTC (Thu) by niner (guest, #26151)
In reply to: If sensible authentication were used... by epa
Parent article: Redirecting browser tabs via "tabnabbing"

Well HTTP authentication might be nice if it didn't have a serious drawback: it's just not possible to end a session. Mozilla used to be the only browser that I know of that ever had a logout button for HTTP authentication. It was removed in Firefox to simplify the user interface. You can still add it for example as part of the web developer extensions, but no normal user would have that.

Also it's not possible to end a session from the server side, since the browser is sending valid credentials with every request. It's just a NO GO from a security perspective.

to post comments

If sensible authentication were used...

Posted May 27, 2010 14:56 UTC (Thu) by TRS-80 (guest, #1804) [Link] (2 responses)

They actually added it back in 3.0 as part of the "Clear Private Data..." interface. Also, it is possible to end it from the server side, but it requires a fair bit of hackery. There are plenty of other reasons not to use HTTP auth however, including the inflexibility of the browser UI for providing options like "new user" and "forgot my password".

If sensible authentication were used...

Posted Jun 1, 2010 16:15 UTC (Tue) by epa (subscriber, #39769) [Link] (1 responses)

Agreed. It would need the browser makers to get together to define a basic common interface for web authentication, into which site makers could plug their 'new user' and password reminder pages. Once it's widely deployed, security-conscious sites might start to use it.

If sensible authentication were used...

Posted Jun 1, 2010 16:43 UTC (Tue) by TRS-80 (guest, #1804) [Link]

https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager