Re: logout "rel" extension
On 11/24/09 12:16 AM, Bil Corry wrote: We eventually came up with the idea of using a "rel" extension[2] to specify a "logout" feature[3]; the browser pings the server when all related windows/tabs are closed. I'm not sure if the "when all related windows/tabs are closed" part is interesting (eg, what to do when that happens because the browser crashed, or the browser doesn't support the rel extension?). OTOH, there has been some brainstorming around how to improve identity and logins in general. Form-based password management is basically a hack, so it would be nice to have a more formal syntax to tell the browser how to login and logout from the site. We can (in theory) mostly do this with HTTP authentication, but logins based on forms and cookies are far more common. Justin ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: logout "rel" extension
On 11/24/09 3:16 AM, Bil Corry wrote: > Some time ago on the HTML5 list[1], I brought up the problem that there > wasn't a straightforward way for a server to determine when the user had > closed all windows/tabs. We eventually came up with the idea of using a > "rel" extension[2] to specify a "logout" feature[3]; the browser pings > the server when all related windows/tabs are closed. > > I am soliciting feedback on the idea: is this something that Mozilla > would consider adding to Firefox? Was it accepted by the HTML5 specification? It doesn't sound like a particularly useful feature to me, considering that this seems to be mostly a solved problem. > Currently, the only way that I'm aware of to determine when a user has > closed all related windows/tabs is by having the browser poll the server > at a regular interval, and once the polling stops, the server knows the > user is no longer actively using the site. Why exactly do you need to know when the user has closed all related windows/tabs? How is this better than just timing out the user's session if they haven't made a request in 30 minutes, and doing an occasional poll if the user is in a long-running task such as editing a document? The spec says same-origin, but doesn't define whether that means eTLD+1 or actual specific origin. What kinds of loads would "prevent logout"? Would images loaded as ? Images loaded as documents? Frames loaded in another site's toplevel window? PDFs, videos, or other non-HTML documents loaded in a browser window (i.e. via the Acrobat plugin)? Must the logout URL be same-origin with the site? My initial reaction is that we would not implement this feature, but let sites solve this problem, if it must be solved, using existing technologies. --BDS ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
logout "rel" extension
Some time ago on the HTML5 list[1], I brought up the problem that there wasn't a straightforward way for a server to determine when the user had closed all windows/tabs. We eventually came up with the idea of using a "rel" extension[2] to specify a "logout" feature[3]; the browser pings the server when all related windows/tabs are closed. I am soliciting feedback on the idea: is this something that Mozilla would consider adding to Firefox? Currently, the only way that I'm aware of to determine when a user has closed all related windows/tabs is by having the browser poll the server at a regular interval, and once the polling stops, the server knows the user is no longer actively using the site. Thanks, - Bil [1] "When closing the browser" thread: http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-December/thread.html#17764 http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-April/thread.html#19406 http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2009-June/thread.html#20150 [2] http://wiki.whatwg.org/wiki/RelExtensions [3] http://wiki.whatwg.org/wiki/LogoutRelExtension ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security