Wed Oct 27 04:40:07 UTC 2010 pix@kepibu.org * Update for nicer html export --- old-httpauth/notes.org 2015-04-16 18:36:01.000000000 +0000 +++ new-httpauth/notes.org 2015-04-16 18:36:01.000000000 +0000 @@ -1,5 +1,5 @@ -* Site-Controlled HTTP Authentication UI -** Motivation +#+TITLE: Site-Controlled HTTP Authentication UI +* Motivation HTTP Authentication is significantly less fundamentally broken than cookie-based authentication. And, while I've been meaning to write this up for years, the recent release of [[http://codebutler.com/firesheep][Firesheep]] has brought the issue to the fore once again. @@ -14,8 +14,8 @@ This is my proposal to make HTTP Authentication website-controlled, while remaining backwards compatible with form-based authentication in browsers which do not support the proposal. -** Proposal -*** HTML Forms +* Proposal +** HTML Forms Login forms need add only a single class to their
tag: "http-authentication". This class signals to the browser that it should use the "username" and "password" fields for this form as the corresponding fields in @@ -27,7 +27,7 @@ Any fields in the login form not understood by the browser as part of a login request MUST be submitted as normal for the provided form. -*** Changes to RFC 2617 +** Changes to RFC 2617 WWW-Authenticate headers MAY be sent along with 2xy and 3xy responses to indicate that a page supports optional authentication. Vary: Authorization and appropriate Cache-Control headers should be used when doing so to allow caches @@ -36,7 +36,7 @@ A browser using form-based HTTP Authentication MAY use data acquired from a WWW-Authenticate header sent with the form to authenticate itself without the additional round-trip that would otherwise be required. -*** Stopgap Measure +** Stopgap Measure To use this feature before sites implement it, sites may use JavaScript techniques along the lines of [peej] to silently force the browser into HTTP Authentication. @@ -46,7 +46,7 @@ measure and can be fetched as a darcs repository via the command : darcs get http://repo.kepibu.org/httpauth/ -*** Working with the Stopgap Measure in Browsers that Support This Spec +** Working with the Stopgap Measure in Browsers that Support This Spec Assuming sites implement the stopgap measure, and browsers later introduce native support for this specification, it becomes important for browsers and sites to communicate with each other about who is in charge of handling the @@ -62,10 +62,10 @@ add the class 'natively-supported' to forms requesting http authentication. This will allow sites to easily detect native support and avoid running their own JavaScript-based form-to-http-auth translators. -*** Logging Out +** Logging Out Forcing logout for users is left to a future version of this specification. See [tdm] for ideas. -** References +* References * [tdm] :: Weaning the Web off of Session Cookies (Timothy Morgan, 26 Jan 2010) http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf * [peej] :: HTTP Authentication with HTML Forms (Paul James, 03 Feb 2006) @@ -77,4 +77,4 @@ * flyspell :noexport: LocalWords: UI LocalWords Firesheep peej authentform html tdm Login http login LocalWords: username nonces pdf JavaScript auth JS natively logout xy darcs -// LocalWords: php +LocalWords: php