Well, by definition since we don't have a "login" process, we also don't
have a "logout" process. What I mean is, the UI for the login process
should really be more of a function of the user agent, and as such, it
is therefore the user agent's responsibility to provide a "logout"
function as well.
Or, to put it another way, your website shouldn't have to worry about
when, whether or how the user chooses to logout. The burden for this is
shifted to the client / user agent.
I'm not sure about javascript (not much of a fan), but I know my browser
has a menu choice to clear authenticated sessions. Ie. in firefox it's
Tools -> Clear Private Data -> Authenticated Sessions. Or, of course,
closing the browser also works.
It's one of those many things that browsers don't handle very well, but
hopefully as REST principles gain traction, we'll see better support for
this functionality (along with native PUT and DELETE in a form's method).
Adam
Michael Terrington wrote:
Adam Taft wrote:
The user agent, of course, still prompts the user for credentials when
it's appropriate to do so. The login process, as the end user
perceives it, still happens. It's just all about thinking in
"stateless" RESTful terms, which is it seems hard for some (many?
most??) web developers.
The problem I have with HTTP authentication is that browsers don't
provide a "logout" mechanism. Perhaps there's some way to clear the
authentication details from Javascript?
Regards,
Michael.
