Why isn't there a logout button? Why no list of "websites you're logged into"? Is it because of some issue with the HTTP specs?
Life would be much easier for web developers if they could actually rely on HTTP auth ...
Asked
Active
Viewed 825 times
7
-
Quite an interesting question with an interesting answer. Gulzar is right. Stateless. At the moment you see a authentication cookie, there is no way to know if the authentication has expired. – Maxime Rouiller Oct 28 '08 at 01:38
4 Answers
8
As far as HTTP is concerned, it is stateless. One of the main reasons why Internet is scalable.
Gulzar Nazim
- 51,744
- 26
- 128
- 170
-
Yes, state information should be kept by the browser, but they do it poorly – Egon Oct 24 '08 at 21:36
-
This is an interesting topic. Doesn't browser cache do that? I'm coming from the ASP.NET world, so I think in those terms. We got your viewstate, your sessionstate, your cache, your cookies. – MrBoJangles Oct 24 '08 at 21:39
-
well..you can use techniques like cookies and store all the information you want. the responsibility is on the application developer to maintain state and use it properly. – Gulzar Nazim Oct 24 '08 at 21:39
-
Wouldn't it be nice if the browsers were easier to work with? But the fact that HTTP is stateless sort of necessitates the workaroundishness of web programming. – MrBoJangles Oct 24 '08 at 21:41
3
No technical reason. I suppose if anything, the auth UI is neglected because fewer and fewer web sites are still using HTTP Basic Authentication, trending more towards various cookie-related login schemes... precisely because the auth UI is so poor!
One could probably hack together a Firefox add-on to do it quite easily, which would be the quickest fix. (And the same goes for the other question with the poor file upload UI too.) I'd use it!
bobince
- 528,062
- 107
- 651
- 834
-
Yeah, that was my idea too ... I'm actually just trying to get someone to do it ;-) – Egon Oct 24 '08 at 22:24
2
Have you entered a bug report for major browsers ? (At least, ones with bug trackers, Firefox, Chrome (Chromium) etc.
List of open HTTP Auth sessions would be useful.
hayalci
- 4,089
- 2
- 27
- 30
-
There's a ticket open since 2004 for Firefox, I don't know about the others – Egon Oct 24 '08 at 22:22
0
Because it's not the browser that "knows" it's logged in. It's the server which authenticates the browser on every request. Every server can have different authentication mechanism - using different names and content for the authentication cookies, basic authentication, etc.
Sunny Milenov
- 21,990
- 6
- 80
- 106
-
2The question isn't about cookies, it's only basic authentication, which the browser most certainly does keep alive. – Jim Puls Oct 24 '08 at 22:21
-
Also, if you check here: http://www.httprevealer.com/article_basic_authentication.htm, it's still the server which authorizes the access, so the browser only knows that it was already asked, and what to provide on next request, but not if the server will still honor that. – Sunny Milenov Oct 24 '08 at 22:28
-
Jim, even with HTTP authentication methods, the browser does not know whether a user is logged in. All the browser has is the list of credentials for authenticating itself/the user to some websites. Credentials != logged in. – Alexander Oct 25 '08 at 10:41