[whatwg] Web form and HTTP authentication

Mark Nottingham mnot at mnot.net
Wed Aug 25 23:12:39 PDT 2004


I was wondering if there's been any discussion of adding HTTP 
authentication capabilities to Web forms or other products of the WG 
(If there has, apologies in advance; I think the work happening here is 
important, but I don't have the time to track it closely).

For example, I could imagine having form controls or widgets to:
   - remove a site's authentication state from the browser when 
activated (i.e., a "log out" interface)
   - add user data to a site's authentication state in the browser 
(i.e., "log on" interfaces)
   - display the user's current authentication state

There are a few good reasons to do this. Many sites use cookies to 
authenticate users, because HTTP authentication doesn't have any 
mechanism to allow logging out (a key requirement of financial 
institutions and other sensitive applications), and because the UI for 
HTTP authentication can't be controlled, and doesn't offer an 
"anyonymous" / "not logged in" view.

By accommodating HTTP authentication in Web forms, it will be possible 
to have styled, custom "log on" interfaces as part of pages, as well as 
"log out" facilities, while still retaining the benefits of HTTP 

Specifically, HTTP authentication is more secure than cookies (when 
Digest auth is used), and is more amenable to automated processes 
(agents, spiders, etc.) as well as alternate browsing devices (screen 
readers, etc.).

What do people think? I understand that Web forms 2.0 is probably too 
advanced for this, but I'd love to see something happen in this area 
eventually. Also, the security aspects would need to be handled 
carefully, but I think that if it's done properly, it could be a huge 
benefit to the Web as well as Web forms.


Mark Nottingham     http://www.mnot.net/

More information about the whatwg mailing list