[whatwg] Solving the login/logout problem in HTML

Martin Atkins mart at degeneration.co.uk
Wed Nov 26 14:35:46 PST 2008


Asbjørn Ulsberg wrote:
> 
>  [Request 1]
> 
>  GET /administration/ HTTP/1.1
> 
> 
>  [Response 1]
> 
>  HTTP/1.1 401 Unauthorized
>  WWW-Authenticate: HTML realm="Administration"
> 
>  <!DOCTYPE html>
>  <html>
>    ....
>    <form action="/login">
>      <input name="username">
>      <input type="password" name="password">
>      <input type="submit">
>    </form>
>  </html>
> 
> 
>  [Request 2]
> 
>  POST /login HTTP/1.1
> 
>  username=admin&password=secret
> 
> 
>  [Response 2]
> 
>  HTTP/1.1 302 Found
>  Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration"
>  Location: /administration/
>  
> 
>  [Request 3]
> 
>  GET /administration/ HTTP/1.1
>  Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration"
> 
>  [Response 3]
> 
>  HTTP/1.1 200 OK
> 
>  <!DOCTYPE html>
>  <html>
>    ...
>    <h1>Welcome!</h1>
>  </html>
> 
> The twist here is that it is up to the server to provide the 
> authentication token and through the 'Authorization' header, give the 
> client a way to authorize future requests.

Your auth token here seems to me to be equivalent to a session cookie.

If you change the "Authorization" header in Response 2 to "Set-Cookie" 
(and make some syntactic adjustments) then this doesn't require any 
changes to how deployed apps handle sessions today.





More information about the whatwg mailing list