[whatwg] Solving the login/logout problem in HTML
Calogero Alex Baldacchino
alex.baldacchino at email.it
Wed Nov 26 14:42:33 PST 2008
artin Atkins ha scritto:
> Asbjørn Ulsberg wrote:
>>
>> [Request 1]
>>
>> GET /administration/ HTTP/1.1
>>
>>
>> [Response 1]
>>
>> HTTP/1.1 401 Unauthorized
>> WWW-Authenticate: HTML realm="Administration"
>>
>> <!DOCTYPE html>
>> <html>
>> ....
>> <form action="/login">
>> <input name="username">
>> <input type="password" name="password">
>> <input type="submit">
>> </form>
>> </html>
>>
>>
>> [Request 2]
>>
>> POST /login HTTP/1.1
>>
>> username=admin&password=secret
>>
>>
>> [Response 2]
>>
>> HTTP/1.1 302 Found
>> Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration"
>> Location: /administration/
>>
>>
>> [Request 3]
>>
>> GET /administration/ HTTP/1.1
>> Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration"
>>
>> [Response 3]
>>
>> HTTP/1.1 200 OK
>>
>> <!DOCTYPE html>
>> <html>
>> ...
>> <h1>Welcome!</h1>
>> </html>
>>
>> The twist here is that it is up to the server to provide the
authentication token and through the 'Authorization' header, give the
client a way to authorize future requests.
>
> Your auth token here seems to me to be equivalent to a session cookie.
>
> If you change the "Authorization" header in Response 2 to
"Set-Cookie" (and make some syntactic adjustments) then this doesn't
require any changes to how deployed apps handle sessions today.
>
>
Perhaps that token was meant as a cross-session one, surviving untill an
explicit logout
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Innammorarsi è facile con Meetic, milioni di single si sono iscritti, si sono conosciuti e hanno riscoperto l'amore. Tutto con Meetic, prova anche tu!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=8292&d=26-11
More information about the whatwg
mailing list