[whatwg] Solving the login/logout problem in HTML
Thomas Broyer
t.broyer at gmail.com
Thu Nov 27 03:26:16 PST 2008
On Wed, Nov 26, 2008 at 10:38 PM, Ian Hickson wrote:
>
> Ok let me rephrase. What are the user agent requirements for processing
> the "realm" value? For other schemes, it's basically "show the realm to
> the user as a hint as to what password is wanted".
The realm is (should be) part of the key used by password managers:
The realm value (case-sensitive), in combination with the canonical root
URL […] of the server being accessed, defines the protection space.
These realms allow the protected resources on a server to be
partitioned into a set of protection spaces, each with its own
authentication scheme and/or authorization database.
(RFC 2617, § 1.2)
With Basic, the other part of the key is the requested URI (and
applies to all "deeper" URIs as well; the password manager key should
then be updated as soon as a request to a "shallower" URI results in a
401 with the same realm):
A client SHOULD assume that all paths at or deeper than the depth of
the last symbolic element in the path field of the Request-URI also
are within the protection space specified by the Basic realm value of
the current challenge. A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server.
(RFC 2617, § 2)
With Digest, the optional 'domain' parameter explicitly specifies the
"URI spaces" govern by the authentication realm. The 'domain'
parameter can thus broaden or narrow the realm):
Digest authentication requires that the authenticating agent (usually
the server) store some data derived from the user's name and password
in a "password file" associated with a given realm.
(RFC 2617, § 4.13)
> But here we aren't going to show anything to the user.
Given that the "HTML" scheme shows the login form at the requested
URI, autocomplete of credentials that most UAs do cannot be based on
the form's URI (or it would impair the user experience), the realm can
be used by the UA to identify the login form and associate the user's
credentials in the password manager.
--
Thomas Broyer
More information about the whatwg
mailing list