[whatwg] Solving the login/logout problem in HTML

Thomas Broyer t.broyer at gmail.com
Thu Nov 27 03:26:16 PST 2008

On Wed, Nov 26, 2008 at 10:38 PM, Ian Hickson wrote:
> Ok let me rephrase. What are the user agent requirements for processing
> the "realm" value? For other schemes, it's basically "show the realm to
> the user as a hint as to what password is wanted".

The realm is (should be) part of the key used by password managers:
   The realm value (case-sensitive), in combination with the canonical root
   URL […] of the server being accessed, defines the protection space.
   These realms allow the protected resources on a server to be
   partitioned into a set of protection spaces, each with its own
   authentication scheme and/or authorization database.
(RFC 2617, § 1.2)

With Basic, the other part of the key is the requested URI (and
applies to all "deeper" URIs as well; the password manager key should
then be updated as soon as a request to a "shallower" URI results in a
401 with the same realm):
   A client SHOULD assume that all paths at or deeper than the depth of
   the last symbolic element in the path field of the Request-URI also
   are within the protection space specified by the Basic realm value of
   the current challenge. A client MAY preemptively send the
   corresponding Authorization header with requests for resources in
   that space without receipt of another challenge from the server.
(RFC 2617, § 2)

With Digest, the optional 'domain' parameter explicitly specifies the
"URI spaces" govern by the authentication realm. The 'domain'
parameter can thus broaden or narrow the realm):
   Digest authentication requires that the authenticating agent (usually
   the server) store some data derived from the user's name and password
   in a "password file" associated with a given realm.
(RFC 2617, § 4.13)

> But here we aren't going to show anything to the user.

Given that the "HTML" scheme shows the login form at the requested
URI, autocomplete of credentials that most UAs do cannot be based on
the form's URI (or it would impair the user experience), the realm can
be used by the UA to identify the login form and associate the user's
credentials in the password manager.

Thomas Broyer

More information about the whatwg mailing list