[whatwg] Solving the login/logout problem in HTML

Ian Hickson ian at hixie.ch
Wed Nov 26 03:58:58 PST 2008


On Wed, 26 Nov 2008, Thomas Broyer wrote:
>
> I came to the same conclusion and already implemented it (with a custom 
> application-specific scheme) in an Enterprise app (the custom scheme 
> accepts both HTML form, i.e. cookie, and an Authorization request-header 
> –we're using it for XMLHttpRequests to "bypass" any cookie and 
> therefore allow more than one "user session" in the same "browser 
> session").

Cool!


> >   challenge = "HTML" [ form ]
> >   form      = "form" "=" form-name
> >   form-name = quoted-string
> 
> RFC2617 states that "The realm directive (case-insensitive) is required 
> for all authentication schemes that issue a challenge."

I didn't really understand how the realm would work here, which is why I 
didn't include it. Is this a case where we should violate RFC2617? (Note 
that we're in a rather unusual case here because the challenge never gets 
a reply in the traditional sense.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list