My three suggestions were intended to be used together. The HTTP protocol is what defines Basic-Auth. The encapsulation into TLS is transparent to that particular step. My apologies if this confused my recommendation.<div>
<br></div><div>Logging out can be accomplished by simply sending an "unauthenticated" HTTP status code and a new Authenticate header that tells the client it needs new credentials.</div><div><br></div><div>HTTP authentication is superior to cookie-based authentication in a number of cases where the REST nature of the web allows for various kinds of mash-ups. Cookie-based authentication really only works well when an interactive user is using a mainline web browser to access your application. Kind-of like using the flash player for your website: some designers think nothing about it; others believe that it significantly reduces the value of the site, at least long-term. Let your requirements decide.</div>
<div><br></div><div>Sincerely,</div><div><br></div><div>jw</div><div><br clear="all"><br>--<br>Americans might object: there is no way we would sacrifice our living standards for the benefit of people in the rest of the world. Nevertheless, whether we get there willingly or not, we shall soon have lower consumption rates, because our present rates are unsustainable. <br>
<br>
<br><br><div class="gmail_quote">On Mon, Jul 11, 2011 at 10:16 AM, Garrett Smith <span dir="ltr"><<a href="mailto:g@rre.tt">g@rre.tt</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Fri, Jul 8, 2011 at 11:20 PM, Jon Watte <<a href="mailto:jwatte@gmail.com">jwatte@gmail.com</a>> wrote:<br>
<br>
> 2) Use Basic-auth over HTTP -- this sends name and password,<br>
> base-64-encoded.<br>
<br>
</div>This is surely a typo. You can't say "HTTP" and expect people to read<br>
"HTTP + TLS".<br>
<br>
For simple web auth, I routinely use basic auth, but only ever over<br>
HTTPS. This doesn't work however if you need to control sessions or<br>
let users log out. It's just a quick and dirty way to control who can<br>
see what.<br>
<font color="#888888"><br>
Garrett<br>
</font></blockquote></div><br></div>