OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Expertise and Innovation - was Re: [xml-dev]Non-Borg serve

[ Lists Home | Date Index | Thread Index ]

On Thu, 2004-02-05 at 01:08, Alaric B Snell wrote:

> And it's still the case that both users and programmers have less 
> control over HTTP auth; browsers still don't give you "logout" buttons 
> that uncache the username and password you've entered, the credentials 
> have to be submitted with every request rather than just once (widening 
> the window of vulnerability to snooping), the server cannot enforce that 
> sessions expire after a certain period of inactivity (and sometimes they 
> will *need* to mandate that to meet the requirements of banking 
> applications and so on, regardless of user browser choices and 
> settings), and so on.
but my commonwealth bank site does time out sessions and so does
qantas... isn't this an application problem rather than browser problem

after time x (10/20 minutes of inactivity) i have to log in again. seems
to me it wouldn't be too hard (though possibly inconvenient to users) to
have absolute timeouts as well.

and the sessions are encrypted, and the keys are generated for every
session... how much more secure do you need?


> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> The list archives are at http://lists.xml.org/archives/xml-dev/
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS