[whatwg] Re: Web form and HTTP authentication

[Ian Hickson]

On Mon, 8 Nov 2004, Aaron Swartz wrote:
>
> My thinking was that the server would simply support both -- Digest
> Auth for WF2 UAs and standard insecure POST/cookie auth for old UAs.
> This would take a little extra coding but hardly seems insurmountable.

Digest Auth is insecure; the point of using HTTP auth for login instead of 
cookies wouldn't be to increase security, it would be to put the 
authentication information at the appropriate level. IMHO if we required 
authors to implement both HTTP auth and POST/cookie auth, they'd only do 
one, not both. There wouldn't be any advantage to doing both, really.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'