[whatwg] Re: Web form and HTTP authentication

Ian Hickson ian at hixie.ch
Mon Nov 8 15:56:07 PST 2004


On Fri, 27 Aug 2004, Aaron Swartz wrote:
>
> +1 to adding HTML support for Digest Auth. This is a well-needed 
> security measure. And it'd b easy to make it backwards compatible (with 
> an attribute on <form> for example) so that if the browser didn't 
> support the new HTML features it would fall back to a traditional HTTP 
> POST.

I agree this would be great.

The problem is I can't work out how to do it.

Here's how I imagine the ideal setup would be:

 1. Form appears on a non-authenticated page, e.g. on the home page of 
    http://www.example.com/

 2. If the user uses the form in a legacy UA, it does a post (or similar) 
    to a URI, and the user appears logged in.

 3. If the user uses the form in a WF2 UA, it does a post (or similar) to
     a URI, and sends HTTP authentication information in the process.

Parts 1 and 3 are relatively easy, just a matter of deciding on some 
syntax. Part 2 is the problem. I guess part 2 could be implemented by 
using redirects to user:password at host URIs, but IE6 on XPSP2 doesn't 
support that anymore.

If we don't do that, then we are basically down to:

 1. Form appears on a non-authenticated page, e.g. on the home page of 
    http://www.example.com/

 2. If the user uses the form in a legacy UA, it does a post (or similar) 
    to a URI, which then asks the user for authentication (again) using 
    the UA's HTTP support.

 3. If the user uses the form in a WF2 UA, it does a post (or similar) to
    a URI, and sends HTTP authentication information in the process.

Maybe we should hide the username/password fields from legacy UAs, so that 
on old UAs it just has a login button, but new UAs have the button as 
well as username and password fields?

What do people think? Any opinions?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list