[whatwg] fixing the authentication problem
kornel at geekhood.net
Tue Oct 21 12:07:35 PDT 2008
You're re-inventing Digest authentication (RFC 2617).
Digest has two-way authentication with hashed challenge-response, nonces,
can use passwords stored as hashes (though not as secure as storage for
plaintext auth), avoids insecurity of cookies and even has simple data
...and it's all futile if attacker can modify a single byte sent over the
Anyway, it doesn't make sense to duplicate all that functionality in forms
just because typical interface for HTTP authentication is ugly and
unusable. You can fix the interface, and there's proposal for it already
I think that proposal is generally a good idea, but the details could be
improved (i.e. should reuse existing forms and input types rather than
creating new ones that can't offer seamless fallback).
regards, Kornel Lesinski
More information about the whatwg