Loading ...
Sorry, an error occurred while loading the content.

6295Re: [rest-discuss] Can ReST replace cookies?

Expand Messages
  • Elliotte Harold
    Jun 1, 2006
      Seairth Jacobs wrote:

      > Check out
      > http://www.peej.co.uk/articles/http-auth-with-html-forms.html. I can
      > also see some variations on this theme to allow a "logout" sort of
      > function which is also a regular complaint about HTTP authentication.

      Cool! I'll have to remember this.

      One minor point. You write "The HTTP spec doesn't say we're allowed to
      have URLs with usernames and passwords in them so we can't guarentee
      that they work anywhere else either."

      It's not really the HTTP spec that's relevant. It's the URI spec, RFC
      3986. What that says is:

      The userinfo subcomponent may consist of a user name and, optionally,
      scheme-specific information about how to gain authorization to access
      the resource. The user information, if present, is followed by a
      commercial at-sign ("@") that delimits it from the host.

      userinfo = *( unreserved / pct-encoded / sub-delims / ":" )

      Use of the format "user:password" in the userinfo field is
      deprecated. Applications should not render as clear text any data
      after the first colon (":") character found within a userinfo
      subcomponent unless the data after the colon is the empty string
      (indicating no password). Applications may choose to ignore or
      reject such data when it is received as part of a reference and
      should reject the storage of such data in unencrypted form. The
      passing of authentication information in clear text has proven to be
      a security risk in almost every case where it has been used.

      ´╗┐Elliotte Rusty Harold elharo@...
      Java I/O 2nd Edition Just Published!
    • Show all 34 messages in this topic