[whatwg] Solving the login/logout problem in HTML
Julian Reschke
julian.reschke at gmx.de
Wed Nov 26 02:41:05 PST 2008
Ian Hickson wrote:
> On Wed, 26 Nov 2008, Julian Reschke wrote:
>> Ian Hickson wrote:
>>> ...
>>> As can be seen in the feedback below, there is interest in improving the So
>>> when you get to a page that expects you to be logged in, it return a 401
>>> with:
>>>
>>> WWW-Authenticate: HTML form="login"
>>>
>>> ...and there must be a <form> element with name="login", which represents
>>> the form that must be submitted to log in.
>>> ...
>> For security reasons, I'd prefer that to be "the <form> element",
>> instead of "a <form> element" -- having multiple copies of the name in
>> the same document should be considered a fatal error.
>
> Having multiple <form> elements with the same name is already an error.
Yes.
> I'm not sure what you mean by "fatal" error. The spec precisely defines
> which form should be used in the case of multiple forms with the same
> name. Could you describe the attack scenario you are considering?
If everybody UA is going to run an HTML5 parser as specified, then a
problem is unlikely. I just don't believe this is going to happen. In
*that* case, ambiguous login information is a problem, and a simple ans
safe way to avoid this issue is to tell clients to abort when they
detect the problem.
>>>> Yes, that's a simpler option. :-) (Provided that current browsers
>>>> still ask for authentication even when given a 200 OK.)
>>> I don't think they do now, but it's something we can move towards.
>> I think asking for credentials when the status is 200 would be a bug.
>
> Even in the asynchronous way mpt suggested? I think it would go a long way
> towards addressing the limitations of HTTP authentication. One of the
> great benefits of HTML authentication forms is that they can be made
> available in the equivalent of a 200 OK situation as opposed to only in
> the equivalent of a 401 situation.
You can already handle the case of content that's available
unauthenticated, but would potentially differ in case of being
authenticated by adding
Vary: Authorization
to a response.
BR, Julian
More information about the whatwg
mailing list