6295Re: [rest-discuss] Can ReST replace cookies?
- Jun 1, 2006Seairth Jacobs wrote:
> Check outCool! I'll have to remember this.
> http://www.peej.co.uk/articles/http-auth-with-html-forms.html. I can
> also see some variations on this theme to allow a "logout" sort of
> function which is also a regular complaint about HTTP authentication.
One minor point. You write "The HTTP spec doesn't say we're allowed to
have URLs with usernames and passwords in them so we can't guarentee
that they work anywhere else either."
It's not really the HTTP spec that's relevant. It's the URI spec, RFC
3986. What that says is:
The userinfo subcomponent may consist of a user name and, optionally,
scheme-specific information about how to gain authorization to access
the resource. The user information, if present, is followed by a
commercial at-sign ("@") that delimits it from the host.
userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
Use of the format "user:password" in the userinfo field is
deprecated. Applications should not render as clear text any data
after the first colon (":") character found within a userinfo
subcomponent unless the data after the colon is the empty string
(indicating no password). Applications may choose to ignore or
reject such data when it is received as part of a reference and
should reject the storage of such data in unencrypted form. The
passing of authentication information in clear text has proven to be
a security risk in almost every case where it has been used.
Elliotte Rusty Harold elharo@...
Java I/O 2nd Edition Just Published!
- << Previous post in topic Next post in topic >>