repos / httpauth / headblob
summary | shortlog | log | tree | annotate | headblob | filehistory
plain
/
/notes.org
 1 #+TITLE: Site-Controlled HTTP Authentication UI
 2 * Motivation
 3 HTTP Authentication is significantly less fundamentally broken than cookie-based
 4 authentication.  And, while I've been meaning to write this up for years, the
 5 recent release of [[http://codebutler.com/firesheep][Firesheep]] has brought the issue to the fore once again.
 6 
 7 [tdm] explains many of the issues involved, so I'll just summarize briefly:
 8  1. The browser UI for HTTP Authentication sucks
 9  2. Websites want to control that UI
10 
11 A natural consequence of these two things is that no sites use HTTP
12 Authentication, and browser vendors don't bother to make it not suck.
13 
14 This is my proposal to make HTTP Authentication website-controlled, while
15 remaining backwards compatible with form-based authentication in browsers which
16 do not support the proposal.
17 * Proposal
18 ** HTML Forms
19 Login forms need add only a single class to their <form> tag:
20 "http-authentication".  This class signals to the browser that it should use the
21 "username" and "password" fields for this form as the corresponding fields in
22 HTTP Authentication.  These fields MUST NOT be submitted with the rest of the
23 form when using HTTP Authentication.
24 
25 Any additional information necessary to perform authentication (nonces, etc.)
26 should be pulled from the standard WWW-Authenticate headers.
27 
28 Any fields in the login form not understood by the browser as part of a login
29 request MUST be submitted as normal for the provided form.
30 ** Changes to RFC 2617
31 WWW-Authenticate headers MAY be sent along with 2xy and 3xy responses to
32 indicate that a page supports optional authentication.  Vary: Authorization and
33 appropriate Cache-Control headers should be used when doing so to allow caches
34 to work properly.
35 
36 A browser using form-based HTTP Authentication MAY use data acquired from a
37 WWW-Authenticate header sent with the form to authenticate itself without the
38 additional round-trip that would otherwise be required.
39 ** Stopgap Measure
40 To use this feature before sites implement it, sites may use JavaScript
41 techniques along the lines of [peej] to silently force the browser into HTTP
42 Authentication.
43 
44 I've set up a (very rough) example at http://httpauth.kepibu.org/login.php.  The
45 source code contains additional comments relevant to implementers of the stopgap
46 measure and can be fetched as a darcs repository via the command
47 :  darcs get http://repo.kepibu.org/httpauth/
48 
49 ** Working with the Stopgap Measure in Browsers that Support This Spec
50 Assuming sites implement the stopgap measure, and browsers later introduce
51 native support for this specification, it becomes important for browsers and
52 sites to communicate with each other about who is in charge of handling the
53 form-to-http-auth transition.
54 
55 As someone who loathes the number of sites that fall apart with JS disabled, it
56 is tempting to simply say browsers should refuse to fire JavaScript events on
57 the submission of http-authentication forms.  However, since sites will almost
58 certainly be doing other things in the JavaScript for those forms, that is not a
59 viable option.
60 
61 Instead, it seems prudent to utilize the DOMImplementation hasFeature function.
62 Thus, I propose a feature name of "HTTPFormAuth" and a version of "1.0".
63 ** Logging Out
64 Forcing logout for users is left to a future version of this specification.  See
65 [tdm] for ideas.
66 * References
67  * [tdm]  :: Weaning the Web off of Session Cookies (Timothy Morgan, 26 Jan 2010)
68    http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
69  * [peej] :: HTTP Authentication with HTML Forms (Paul James, 03 Feb 2006)
70    http://www.peej.co.uk/articles/http-auth-with-html-forms.html
71  * [ha]   :: HTTP Authentication: Basic and Digest Authentication (RFC 2617, Jun 1999)
72    http://tools.ietf.org/html/rfc2617
73  * [w3]   :: User Agent Authentication Forms (W3C Note, 03 Feb 1999)
74    http://www.w3.org/TR/NOTE-authentform
75 * flyspell                                                         :noexport:
76 LocalWords:  UI LocalWords Firesheep peej authentform html tdm Login http login
77 LocalWords:  username nonces pdf JavaScript auth JS natively logout xy darcs
78 LocalWords:  php
There once was a man from Nantucket…