[
Lists Home |
Date Index |
Thread Index
]
On Thu, 2004-02-05 at 01:08, Alaric B Snell wrote:
> And it's still the case that both users and programmers have less
> control over HTTP auth; browsers still don't give you "logout" buttons
> that uncache the username and password you've entered, the credentials
> have to be submitted with every request rather than just once (widening
> the window of vulnerability to snooping), the server cannot enforce that
> sessions expire after a certain period of inactivity (and sometimes they
> will *need* to mandate that to meet the requirements of banking
> applications and so on, regardless of user browser choices and
> settings), and so on.
>
but my commonwealth bank site does time out sessions and so does
qantas... isn't this an application problem rather than browser problem
after time x (10/20 minutes of inactivity) i have to log in again. seems
to me it wouldn't be too hard (though possibly inconvenient to users) to
have absolute timeouts as well.
and the sessions are encrypted, and the keys are generated for every
session... how much more secure do you need?
rick
> ABS
>
>
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
>
> The list archives are at http://lists.xml.org/archives/xml-dev/
>
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>
>
|
