[whatwg] Solving the login/logout problem in HTML

Calogero Alex Baldacchino alex.baldacchino at email.it
Wed Nov 26 14:42:33 PST 2008


artin Atkins ha scritto:
 > Asbjørn Ulsberg wrote:
 >>
 >>  [Request 1]
 >>
 >>  GET /administration/ HTTP/1.1
 >>
 >>
 >>  [Response 1]
 >>
 >>  HTTP/1.1 401 Unauthorized
 >>  WWW-Authenticate: HTML realm="Administration"
 >>
 >>  <!DOCTYPE html>
 >>  <html>
 >>    ....
 >>    <form action="/login">
 >>      <input name="username">
 >>      <input type="password" name="password">
 >>      <input type="submit">
 >>    </form>
 >>  </html>
 >>
 >>
 >>  [Request 2]
 >>
 >>  POST /login HTTP/1.1
 >>
 >>  username=admin&password=secret
 >>
 >>
 >>  [Response 2]
 >>
 >>  HTTP/1.1 302 Found
 >>  Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration"
 >>  Location: /administration/
 >>
 >>
 >>  [Request 3]
 >>
 >>  GET /administration/ HTTP/1.1
 >>  Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration"
 >>
 >>  [Response 3]
 >>
 >>  HTTP/1.1 200 OK
 >>
 >>  <!DOCTYPE html>
 >>  <html>
 >>    ...
 >>    <h1>Welcome!</h1>
 >>  </html>
 >>
 >> The twist here is that it is up to the server to provide the 
authentication token and through the 'Authorization' header, give the 
client a way to authorize future requests.
 >
 > Your auth token here seems to me to be equivalent to a session cookie.
 >
 > If you change the "Authorization" header in Response 2 to 
"Set-Cookie" (and make some syntactic adjustments) then this doesn't 
require any changes to how deployed apps handle sessions today.
 >
 >
Perhaps that token was meant as a cross-session one, surviving untill an 
explicit logout
 
 
 --
 Email.it, the professional e-mail, gratis per te: http://www.email.it/f
 
 Sponsor:
 Innammorarsi è facile con Meetic, milioni di single si sono iscritti, si sono conosciuti e hanno riscoperto l'amore. Tutto con Meetic, prova anche tu!
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8292&d=26-11



More information about the whatwg mailing list