[whatwg] fixing the authentication problem
Kornel Lesinski
kornel at geekhood.net
Tue Oct 21 12:07:35 PDT 2008
You're re-inventing Digest authentication (RFC 2617).
Digest has two-way authentication with hashed challenge-response, nonces,
can use passwords stored as hashes (though not as secure as storage for
plaintext auth), avoids insecurity of cookies and even has simple data
integrity verification.
...and it's all futile if attacker can modify a single byte sent over the
network.
Anyway, it doesn't make sense to duplicate all that functionality in forms
just because typical interface for HTTP authentication is ugly and
unusable. You can fix the interface, and there's proposal for it already
(from 1999!):
http://www.w3.org/TR/NOTE-authentform
I think that proposal is generally a good idea, but the details could be
improved (i.e. should reuse existing forms and input types rather than
creating new ones that can't offer seamless fallback).
--
regards, Kornel Lesinski
More information about the whatwg
mailing list