[whatwg] Web form and HTTP authentication

Mark Nottingham mnot at mnot.net
Thu Aug 26 22:54:40 PDT 2004

Mike Dierken pointed this out as well:

(I haven't looked at it in depth yet, but it appears to be a concrete 
proposal along these lines)

On Aug 25, 2004, at 11:12 PM, Mark Nottingham wrote:

> Hi,
> I was wondering if there's been any discussion of adding HTTP 
> authentication capabilities to Web forms or other products of the WG 
> (If there has, apologies in advance; I think the work happening here 
> is important, but I don't have the time to track it closely).
> For example, I could imagine having form controls or widgets to:
>   - remove a site's authentication state from the browser when 
> activated (i.e., a "log out" interface)
>   - add user data to a site's authentication state in the browser 
> (i.e., "log on" interfaces)
>   - display the user's current authentication state
> There are a few good reasons to do this. Many sites use cookies to 
> authenticate users, because HTTP authentication doesn't have any 
> mechanism to allow logging out (a key requirement of financial 
> institutions and other sensitive applications), and because the UI for 
> HTTP authentication can't be controlled, and doesn't offer an 
> "anyonymous" / "not logged in" view.
> By accommodating HTTP authentication in Web forms, it will be possible 
> to have styled, custom "log on" interfaces as part of pages, as well 
> as "log out" facilities, while still retaining the benefits of HTTP 
> authentication.
> Specifically, HTTP authentication is more secure than cookies (when 
> Digest auth is used), and is more amenable to automated processes 
> (agents, spiders, etc.) as well as alternate browsing devices (screen 
> readers, etc.).
> What do people think? I understand that Web forms 2.0 is probably too 
> advanced for this, but I'd love to see something happen in this area 
> eventually. Also, the security aspects would need to be handled 
> carefully, but I think that if it's done properly, it could be a huge 
> benefit to the Web as well as Web forms.
> Cheers,
> --
> Mark Nottingham     http://www.mnot.net/

Mark Nottingham     http://www.mnot.net/

More information about the whatwg mailing list