[whatwg] connecting usernames and passwords
Greg Kilwein
gkilwein at fbsdata.com
Fri Dec 17 09:43:41 PST 2004
Related to this, it would be nice to have a standard, simple way for a
browser session to "log out" of its HTTP authentication. Currently with
some UAs, a user must to close all of his or her browser windows and/or
tabs in order to be able to log in as someone else. Granted, there are
ways to trick the browser into popping up the authentication box, but it
would be nice to have a standard "log out" feature.
The way HTTP authentication is implemented now assumes that the user
will never want to change usernames. This is simply not true in every
case, even if it is for the majority of cases.
I'm not sure of the best way to accomplish this log out functionality
(headers? HTML tags?) but this certainly would be a helpful feature in
the web application that I develop. Has anyone else experienced a
situation in which this feature would be useful, or have any ideas about
how it could be accomplished that would be within the scope of this group?
Greg
Ian Hickson wrote:
>On Fri, 17 Dec 2004, Matthew Thomas wrote:
>
>
>>Future browsers could, instead of displaying an alert for HTTP
>>authentication, provide the authentication UI in a panel at the top of
>>the non-authenticated page (fixing annoying modality issues in the
>>process). That wouldn't require any change to HTTP authentication
>>either.
>>
>>
>
>A very interesting idea. The problem with that is that if you show the
>401 page at the moment, you'll get something like:
>
> 401 UNAUTHORIZED
>
> YOU DO NOT HAVE THE PROPER PERMISSIONS
>
>
>
> ___________________________________________________________
> Username: [_____] Password: [_______] (Login) [X]
>
>...whenever you reach an HTTP-protected page, which is suboptimal at
>best.
>
>We could get around that by saying that you can include
>WWW-Authenticate headers with 200 OK responses as well (nothing in
>HTTP seems to say you can't), and that if you do, then the bar is
>shown as above ("interactive user agents should provide a non-modal
>authentication interface"). Then, if you've already sent your
>credentials and you get a 401, then you get the 401 page and the bar,
>instead of the modal dialog.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20041217/12a34869/attachment-0001.htm>
More information about the whatwg
mailing list