Loading ...
Sorry, an error occurred while loading the content.
 

Authentication

Expand Messages
  • Paul Prescod
    Why do so many websites use home-spun HTML/cookie authentication (login/password) instead of HTTP authentication? I m guessing it is all about user interface
    Message 1 of 3 , Jan 10, 2002
      Why do so many websites use home-spun HTML/cookie authentication
      (login/password) instead of HTTP authentication? I'm guessing it is all
      about user interface issues -- being able to put the login box
      where-ever you want it.

      What needs to be done to web infrastructure so that this bit of context
      moves from the HTML/cookie domain down into HTTP where it is supposed to
      live?

      Paul Prescod
    • Mark Baker
      ... Exactly right. This is a major issue, as it prevents many tasks from being automated. ... I don t know that there s a quick fix. One thing I was thinking
      Message 2 of 3 , Jan 10, 2002
        > Why do so many websites use home-spun HTML/cookie authentication
        > (login/password) instead of HTTP authentication? I'm guessing it is all
        > about user interface issues -- being able to put the login box
        > where-ever you want it.

        Exactly right. This is a major issue, as it prevents many tasks from
        being automated.

        > What needs to be done to web infrastructure so that this bit of context
        > moves from the HTML/cookie domain down into HTTP where it is supposed to
        > live?

        I don't know that there's a quick fix. One thing I was thinking of was
        an HTML/XHTML extension that would allow more flexibility in the user
        interface of the authentication system. But it would take forever to
        roll that out.

        Other ideas;
        - conventions for cookie values. would also be difficult to rollout
        as HTTP libs that support cookies would all need fixing.
        - recognizing forms with two fields where one is a password input type,
        and somehow kludging that knowledge into the auth system. easier to
        rollout, but error prone and not sure how the kludge would work

        MB
        --
        Mark Baker, Chief Science Officer, Planetfred, Inc.
        Ottawa, Ontario, CANADA. mbaker@...
        http://www.markbaker.ca http://www.planetfred.com
      • Mark Nottingham
        ... I think the issue is more that publishers don t have much control over the authentication state on the browser; things like remembering the username
        Message 3 of 3 , Jan 10, 2002
          On Thu, Jan 10, 2002 at 01:14:07PM -0500, Mark Baker wrote:
          > > Why do so many websites use home-spun HTML/cookie authentication
          > > (login/password) instead of HTTP authentication? I'm guessing it
          > > is all about user interface issues -- being able to put the login
          > > box where-ever you want it.
          >
          > Exactly right. This is a major issue, as it prevents many tasks
          > from being automated.

          I think the issue is more that publishers don't have much control
          over the authentication state on the browser; things like remembering
          the username between sessions, logging out, etc. weren't addressable
          until IE and later Mozilla introduced password management interfaces.
          They're still less capable than cookie handling, unfortunately.

          Also, it was drilled into eveyone's heads that Basic authentication
          isn't secure. Some people thought that magically using cookies would
          solve this, whilst the more savvy used encrypted or hashed values in
          cookies. There is Digest authentication, but it was plagued with
          specification and implementation problems, IIRC.


          > - conventions for cookie values. would also be difficult to rollout
          > as HTTP libs that support cookies would all need fixing.

          What kind of conventions? It strikes me that defining conventions for
          cookies is about as friendly as defining conventions for URIs like
          well-known locations...


          > - recognizing forms with two fields where one is a password input type,
          > and somehow kludging that knowledge into the auth system. easier to
          > rollout, but error prone and not sure how the kludge would work

          I believe this is what Mozilla and IE do now. Of course, the auth is
          still sent as a cookie.


          Cheers,

          --
          Mark Nottingham
          http://www.mnot.net/
        Your message has been successfully submitted and would be delivered to recipients shortly.