[whatwg] Re: Web form and HTTP authentication
Ian Hickson
ian at hixie.ch
Mon Nov 8 15:56:07 PST 2004
On Fri, 27 Aug 2004, Aaron Swartz wrote:
>
> +1 to adding HTML support for Digest Auth. This is a well-needed
> security measure. And it'd b easy to make it backwards compatible (with
> an attribute on <form> for example) so that if the browser didn't
> support the new HTML features it would fall back to a traditional HTTP
> POST.
I agree this would be great.
The problem is I can't work out how to do it.
Here's how I imagine the ideal setup would be:
1. Form appears on a non-authenticated page, e.g. on the home page of
http://www.example.com/
2. If the user uses the form in a legacy UA, it does a post (or similar)
to a URI, and the user appears logged in.
3. If the user uses the form in a WF2 UA, it does a post (or similar) to
a URI, and sends HTTP authentication information in the process.
Parts 1 and 3 are relatively easy, just a matter of deciding on some
syntax. Part 2 is the problem. I guess part 2 could be implemented by
using redirects to user:password at host URIs, but IE6 on XPSP2 doesn't
support that anymore.
If we don't do that, then we are basically down to:
1. Form appears on a non-authenticated page, e.g. on the home page of
http://www.example.com/
2. If the user uses the form in a legacy UA, it does a post (or similar)
to a URI, which then asks the user for authentication (again) using
the UA's HTTP support.
3. If the user uses the form in a WF2 UA, it does a post (or similar) to
a URI, and sends HTTP authentication information in the process.
Maybe we should hide the username/password fields from legacy UAs, so that
on old UAs it just has a login button, but new UAs have the button as
well as username and password fields?
What do people think? Any opinions?
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list