[whatwg] fixing the authentication problem

Kornel Lesinski kornel at geekhood.net
Tue Oct 21 12:07:35 PDT 2008


You're re-inventing Digest authentication (RFC 2617).

Digest has two-way authentication with hashed challenge-response, nonces,  
can use passwords stored as hashes (though not as secure as storage for  
plaintext auth), avoids insecurity of cookies and even has simple data  
integrity verification.

...and it's all futile if attacker can modify a single byte sent over the  
network.

Anyway, it doesn't make sense to duplicate all that functionality in forms  
just because typical interface for HTTP authentication is ugly and  
unusable. You can fix the interface, and there's proposal for it already  
(from 1999!):
http://www.w3.org/TR/NOTE-authentform

I think that proposal is generally a good idea, but the details could be  
improved (i.e. should reuse existing forms and input types rather than  
creating new ones that can't offer seamless fallback).

-- 
regards, Kornel Lesinski



More information about the whatwg mailing list