repos
/
httpauth
/ annotate_shade
summary
|
shortlog
|
log
|
tree
|
commit
|
commitdiff
|
headdiff
|
annotate
|
headblob
|
headfilediff
|
filehistory
normal
|
plain
|
shade
|
zebra
Switch to hasFeature(), which seems perfectly suited for this.
Annotate for file notes.org
2010-10-27 pix
1
#+TITLE: Site-Controlled HTTP Authentication UI
04:40:07 '
2
* Motivation
2010-10-27 pix
3
HTTP Authentication is significantly less fundamentally broken than cookie-based
04:18:01 '
4
authentication. And, while I've been meaning to write this up for years, the
'
5
recent release of [[http://codebutler.com/firesheep][Firesheep]] has brought the issue to the fore once again.
'
6
'
7
[tdm] explains many of the issues involved, so I'll just summarize briefly:
'
8
1. The browser UI for HTTP Authentication sucks
'
9
2. Websites want to control that UI
'
10
'
11
A natural consequence of these two things is that no sites use HTTP
'
12
Authentication, and browser vendors don't bother to make it not suck.
'
13
'
14
This is my proposal to make HTTP Authentication website-controlled, while
'
15
remaining backwards compatible with form-based authentication in browsers which
'
16
do not support the proposal.
2010-10-27 pix
17
* Proposal
04:40:07 '
18
** HTML Forms
2010-10-27 pix
19
Login forms need add only a single class to their <form> tag:
04:18:01 '
20
"http-authentication". This class signals to the browser that it should use the
'
21
"username" and "password" fields for this form as the corresponding fields in
'
22
HTTP Authentication. These fields MUST NOT be submitted with the rest of the
'
23
form when using HTTP Authentication.
'
24
'
25
Any additional information necessary to perform authentication (nonces, etc.)
'
26
should be pulled from the standard WWW-Authenticate headers.
'
27
'
28
Any fields in the login form not understood by the browser as part of a login
'
29
request MUST be submitted as normal for the provided form.
2010-10-27 pix
30
** Changes to RFC 2617
2010-10-27 pix
31
WWW-Authenticate headers MAY be sent along with 2xy and 3xy responses to
04:18:01 '
32
indicate that a page supports optional authentication. Vary: Authorization and
'
33
appropriate Cache-Control headers should be used when doing so to allow caches
'
34
to work properly.
'
35
'
36
A browser using form-based HTTP Authentication MAY use data acquired from a
'
37
WWW-Authenticate header sent with the form to authenticate itself without the
'
38
additional round-trip that would otherwise be required.
2010-10-27 pix
39
** Stopgap Measure
2010-10-27 pix
40
To use this feature before sites implement it, sites may use JavaScript
04:18:01 '
41
techniques along the lines of [peej] to silently force the browser into HTTP
'
42
Authentication.
'
43
'
44
I've set up a (very rough) example at http://httpauth.kepibu.org/login.php. The
'
45
source code contains additional comments relevant to implementers of the stopgap
'
46
measure and can be fetched as a darcs repository via the command
2010-10-27 pix
47
: darcs get http://repo.kepibu.org/httpauth/
2010-10-27 pix
48
2010-10-27 pix
49
** Working with the Stopgap Measure in Browsers that Support This Spec
2010-10-27 pix
50
Assuming sites implement the stopgap measure, and browsers later introduce
04:18:01 '
51
native support for this specification, it becomes important for browsers and
'
52
sites to communicate with each other about who is in charge of handling the
'
53
form-to-http-auth transition.
'
54
'
55
As someone who loathes the number of sites that fall apart with JS disabled, it
'
56
is tempting to simply say browsers should refuse to fire JavaScript events on
'
57
the submission of http-authentication forms. However, since sites will almost
'
58
certainly be doing other things in the JavaScript for those forms, that is not a
'
59
viable option.
'
60
2010-10-27 pix
61
Instead, it seems prudent to utilize the DOMImplementation hasFeature function.
23:48:14 '
62
Thus, I propose a feature name of "HTTPFormAuth" and a version of "1.0".
2010-10-27 pix
63
** Logging Out
2010-10-27 pix
64
Forcing logout for users is left to a future version of this specification. See
04:18:01 '
65
[tdm] for ideas.
2010-10-27 pix
66
* References
2010-10-27 pix
67
* [tdm] :: Weaning the Web off of Session Cookies (Timothy Morgan, 26 Jan 2010)
04:18:01 '
68
http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
'
69
* [peej] :: HTTP Authentication with HTML Forms (Paul James, 03 Feb 2006)
'
70
http://www.peej.co.uk/articles/http-auth-with-html-forms.html
'
71
* [ha] :: HTTP Authentication: Basic and Digest Authentication (RFC 2617, Jun 1999)
'
72
http://tools.ietf.org/html/rfc2617
'
73
* [w3] :: User Agent Authentication Forms (W3C Note, 03 Feb 1999)
'
74
http://www.w3.org/TR/NOTE-authentform
'
75
* flyspell :noexport:
'
76
LocalWords: UI LocalWords Firesheep peej authentform html tdm Login http login
'
77
LocalWords: username nonces pdf JavaScript auth JS natively logout xy darcs
2010-10-27 pix
78
LocalWords: php