[whatwg] Web form and HTTP authentication
Mark Nottingham
mnot at mnot.net
Wed Aug 25 23:12:39 PDT 2004
Hi,
I was wondering if there's been any discussion of adding HTTP
authentication capabilities to Web forms or other products of the WG
(If there has, apologies in advance; I think the work happening here is
important, but I don't have the time to track it closely).
For example, I could imagine having form controls or widgets to:
- remove a site's authentication state from the browser when
activated (i.e., a "log out" interface)
- add user data to a site's authentication state in the browser
(i.e., "log on" interfaces)
- display the user's current authentication state
There are a few good reasons to do this. Many sites use cookies to
authenticate users, because HTTP authentication doesn't have any
mechanism to allow logging out (a key requirement of financial
institutions and other sensitive applications), and because the UI for
HTTP authentication can't be controlled, and doesn't offer an
"anyonymous" / "not logged in" view.
By accommodating HTTP authentication in Web forms, it will be possible
to have styled, custom "log on" interfaces as part of pages, as well as
"log out" facilities, while still retaining the benefits of HTTP
authentication.
Specifically, HTTP authentication is more secure than cookies (when
Digest auth is used), and is more amenable to automated processes
(agents, spiders, etc.) as well as alternate browsing devices (screen
readers, etc.).
What do people think? I understand that Web forms 2.0 is probably too
advanced for this, but I'd love to see something happen in this area
eventually. Also, the security aspects would need to be handled
carefully, but I think that if it's done properly, it could be a huge
benefit to the Web as well as Web forms.
Cheers,
--
Mark Nottingham http://www.mnot.net/
More information about the whatwg
mailing list