Thu Oct 28 20:22:24 UTC 2010 pix@kepibu.org
* *ahem* Use the correct input type for the username text box.
Thu Oct 28 00:01:20 UTC 2010 pix@kepibu.org
* Protect hasFeature call.
Wed Oct 27 23:48:14 UTC 2010 pix@kepibu.org
* Switch to hasFeature(), which seems perfectly suited for this.
Wed Oct 27 23:21:30 UTC 2010 pix@kepibu.org
* Prevent caching of ajax-login.php
Wed Oct 27 22:01:20 UTC 2010 pix@kepibu.org
* Mention hanging on synchronous requests
Wed Oct 27 19:56:56 UTC 2010 pix@kepibu.org
* Eliminate unused code.
Wed Oct 27 19:47:16 UTC 2010 pix@kepibu.org
* Don't use the hasClass function.
Wed Oct 27 04:40:07 UTC 2010 pix@kepibu.org
* Update for nicer html export
Wed Oct 27 04:26:47 UTC 2010 pix@kepibu.org
* Fix repo url
diff -rN -u old-httpauth/ajax-login.php new-httpauth/ajax-login.php
--- old-httpauth/ajax-login.php 2013-07-26 09:31:46.000000000 +0000
+++ new-httpauth/ajax-login.php 2013-07-26 09:31:46.000000000 +0000
@@ -3,6 +3,7 @@
if ('authenticate' === $_SERVER['PHP_AUTH_USER'] &&
'successfully' === $_SERVER['PHP_AUTH_PW']) {
header('HTTP/1.1 200 OK');
+ header('WWW-Authenticate: Basic Realm="Form-Based HTTP Auth Test"', false, 200);
} elseif ($_SERVER['PHP_AUTH_USER'] || $_SERVER['PHP_AUTH_PW']) {
/* Suppress the browser's login UI */
header('HTTP/1.1 403 Invalid Credentials');
@@ -11,3 +12,7 @@
header('HTTP/1.1 401 Log In, Bitches');
header('WWW-Authenticate: Basic Realm="Form-Based HTTP Auth Test"', false, 401);
}
+
+/* no caching */
+header('Pragma: no-cache');
+header('Cache-Control: no-cache');
diff -rN -u old-httpauth/form-to-http-auth.js new-httpauth/form-to-http-auth.js
--- old-httpauth/form-to-http-auth.js 2013-07-26 09:31:46.000000000 +0000
+++ new-httpauth/form-to-http-auth.js 2013-07-26 09:31:46.000000000 +0000
@@ -1,29 +1,19 @@
(function () {
- function hasClass(node,className) {
- return node.className.match(new RegExp('(\\s|^)'+className+'(\\s|$)'));
- }
function form2httpAuth () {
/* Skip if the browser indicates it does this itself. */
- if (this.className.match(/(\\s|^)natively-supported(\\s|$)/))
+ if (document.implementation &&
+ document.implementation.hasFeature &&
+ document.implementation.hasFeature("HTTPFormAuth", "1.0"))
return true;
- /* Force the browser to clear the auth credentials. */
- /*
- var xhr = $.ajax({
- url: "/ajax-login.php",
- async: true,
- global: false,
- username: "-",
- password: "-",
- dataType: "text"
- });
- xhr.abort();
- */
+
/* Attempt login with provided credentials. */
var username = this.username.value;
var password = this.password.value;
var authed = false;
+ var form = this;
$.ajax({
url: "/ajax-login.php",
+ /* synchronous hangs some browsers temporarily. :/ */
async: false,
global: false,
username: username,
@@ -31,13 +21,21 @@
dataType: 'text',
success: function (data, status, xhr) {
authed = true;
+ },
+ error: function (xhr, status, err) {
+ authed = false;
+ },
+ complete: function (xhr, status) {
+ /* Don't send username and password if we successfully managed to auth via HTTP */
+ if (authed) {
+ form.username.parentNode.removeChild(form.username);
+ form.password.parentNode.removeChild(form.password);
+ }
}
});
- /* Don't send username and password if we successfully managed to auth via HTTP */
- if (authed) {
- this.username.parentNode.removeChild(this.username);
- this.password.parentNode.removeChild(this.password);
- }
+
+ /* This is the only way to get browsers to submit the form exactly as
+ the user did, which is why we aren't using async above. */
return true;
}
diff -rN -u old-httpauth/login.php new-httpauth/login.php
--- old-httpauth/login.php 2013-07-26 09:31:46.000000000 +0000
+++ new-httpauth/login.php 2013-07-26 09:31:46.000000000 +0000
@@ -45,7 +45,7 @@
<?php } ?>
<form action='/login.php' method='post' class='http-authentication'>
-<label for='theusername'>Username: <input type='textbox' name='username' id='theusername'></label>
+<label for='theusername'>Username: <input type='text' name='username' id='theusername'></label>
<label for='thepassword'>Password: <input type='password' name='password' id='thepassword'></label>
<button type='submit' name='authme' value='yea'>Authenticate Me!</button>
</form>
diff -rN -u old-httpauth/notes.org new-httpauth/notes.org
--- old-httpauth/notes.org 2013-07-26 09:31:46.000000000 +0000
+++ new-httpauth/notes.org 2013-07-26 09:31:46.000000000 +0000
@@ -1,5 +1,5 @@
-* Site-Controlled HTTP Authentication UI
-** Motivation
+#+TITLE: Site-Controlled HTTP Authentication UI
+* Motivation
HTTP Authentication is significantly less fundamentally broken than cookie-based
authentication. And, while I've been meaning to write this up for years, the
recent release of [[http://codebutler.com/firesheep][Firesheep]] has brought the issue to the fore once again.
@@ -14,8 +14,8 @@
This is my proposal to make HTTP Authentication website-controlled, while
remaining backwards compatible with form-based authentication in browsers which
do not support the proposal.
-** Proposal
-*** HTML Forms
+* Proposal
+** HTML Forms
Login forms need add only a single class to their <form> tag:
"http-authentication". This class signals to the browser that it should use the
"username" and "password" fields for this form as the corresponding fields in
@@ -27,7 +27,7 @@
Any fields in the login form not understood by the browser as part of a login
request MUST be submitted as normal for the provided form.
-*** Changes to RFC 2617
+** Changes to RFC 2617
WWW-Authenticate headers MAY be sent along with 2xy and 3xy responses to
indicate that a page supports optional authentication. Vary: Authorization and
appropriate Cache-Control headers should be used when doing so to allow caches
@@ -36,7 +36,7 @@
A browser using form-based HTTP Authentication MAY use data acquired from a
WWW-Authenticate header sent with the form to authenticate itself without the
additional round-trip that would otherwise be required.
-*** Stopgap Measure
+** Stopgap Measure
To use this feature before sites implement it, sites may use JavaScript
techniques along the lines of [peej] to silently force the browser into HTTP
Authentication.
@@ -44,9 +44,9 @@
I've set up a (very rough) example at http://httpauth.kepibu.org/login.php. The
source code contains additional comments relevant to implementers of the stopgap
measure and can be fetched as a darcs repository via the command
-: darcs get http://code.kepibu.org/httpauth/
+: darcs get http://repo.kepibu.org/httpauth/
-*** Working with the Stopgap Measure in Browsers that Support This Spec
+** Working with the Stopgap Measure in Browsers that Support This Spec
Assuming sites implement the stopgap measure, and browsers later introduce
native support for this specification, it becomes important for browsers and
sites to communicate with each other about who is in charge of handling the
@@ -58,14 +58,12 @@
certainly be doing other things in the JavaScript for those forms, that is not a
viable option.
-Instead, I propose that any browser which supports form-based HTTP Auth should
-add the class 'natively-supported' to forms requesting http authentication.
-This will allow sites to easily detect native support and avoid running their
-own JavaScript-based form-to-http-auth translators.
-*** Logging Out
+Instead, it seems prudent to utilize the DOMImplementation hasFeature function.
+Thus, I propose a feature name of "HTTPFormAuth" and a version of "1.0".
+** Logging Out
Forcing logout for users is left to a future version of this specification. See
[tdm] for ideas.
-** References
+* References
* [tdm] :: Weaning the Web off of Session Cookies (Timothy Morgan, 26 Jan 2010)
http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
* [peej] :: HTTP Authentication with HTML Forms (Paul James, 03 Feb 2006)
@@ -77,4 +75,4 @@
* flyspell :noexport:
LocalWords: UI LocalWords Firesheep peej authentform html tdm Login http login
LocalWords: username nonces pdf JavaScript auth JS natively logout xy darcs
-// LocalWords: php
+LocalWords: php