repos / httpauth / annotate_shade
summary | shortlog | log | tree | commit | commitdiff | headdiff | annotate | headblob | headfilediff | filehistory
normal | plain | shade | zebra
Fix repo url
Annotate for file notes.org
2010-10-27 pix 1 * Site-Controlled HTTP Authentication UI
04:40:07 ' 2 ** Motivation
2010-10-27 pix 3 HTTP Authentication is significantly less fundamentally broken than cookie-based
04:18:01 ' 4 authentication. And, while I've been meaning to write this up for years, the
' 5 recent release of [[http://codebutler.com/firesheep][Firesheep]] has brought the issue to the fore once again.
' 6
' 7 [tdm] explains many of the issues involved, so I'll just summarize briefly:
' 8 1. The browser UI for HTTP Authentication sucks
' 9 2. Websites want to control that UI
' 10
' 11 A natural consequence of these two things is that no sites use HTTP
' 12 Authentication, and browser vendors don't bother to make it not suck.
' 13
' 14 This is my proposal to make HTTP Authentication website-controlled, while
' 15 remaining backwards compatible with form-based authentication in browsers which
' 16 do not support the proposal.
2010-10-27 pix 17 ** Proposal
04:40:07 ' 18 *** HTML Forms
2010-10-27 pix 19 Login forms need add only a single class to their <form> tag:
04:18:01 ' 20 "http-authentication". This class signals to the browser that it should use the
' 21 "username" and "password" fields for this form as the corresponding fields in
' 22 HTTP Authentication. These fields MUST NOT be submitted with the rest of the
' 23 form when using HTTP Authentication.
' 24
' 25 Any additional information necessary to perform authentication (nonces, etc.)
' 26 should be pulled from the standard WWW-Authenticate headers.
' 27
' 28 Any fields in the login form not understood by the browser as part of a login
' 29 request MUST be submitted as normal for the provided form.
2010-10-27 pix 30 *** Changes to RFC 2617
2010-10-27 pix 31 WWW-Authenticate headers MAY be sent along with 2xy and 3xy responses to
04:18:01 ' 32 indicate that a page supports optional authentication. Vary: Authorization and
' 33 appropriate Cache-Control headers should be used when doing so to allow caches
' 34 to work properly.
' 35
' 36 A browser using form-based HTTP Authentication MAY use data acquired from a
' 37 WWW-Authenticate header sent with the form to authenticate itself without the
' 38 additional round-trip that would otherwise be required.
2010-10-27 pix 39 *** Stopgap Measure
2010-10-27 pix 40 To use this feature before sites implement it, sites may use JavaScript
04:18:01 ' 41 techniques along the lines of [peej] to silently force the browser into HTTP
' 42 Authentication.
' 43
' 44 I've set up a (very rough) example at http://httpauth.kepibu.org/login.php. The
' 45 source code contains additional comments relevant to implementers of the stopgap
' 46 measure and can be fetched as a darcs repository via the command
2010-10-27 pix 47 : darcs get http://repo.kepibu.org/httpauth/
2010-10-27 pix 48
2010-10-27 pix 49 *** Working with the Stopgap Measure in Browsers that Support This Spec
2010-10-27 pix 50 Assuming sites implement the stopgap measure, and browsers later introduce
04:18:01 ' 51 native support for this specification, it becomes important for browsers and
' 52 sites to communicate with each other about who is in charge of handling the
' 53 form-to-http-auth transition.
' 54
' 55 As someone who loathes the number of sites that fall apart with JS disabled, it
' 56 is tempting to simply say browsers should refuse to fire JavaScript events on
' 57 the submission of http-authentication forms. However, since sites will almost
' 58 certainly be doing other things in the JavaScript for those forms, that is not a
' 59 viable option.
' 60
2010-10-27 pix 61 Instead, I propose that any browser which supports form-based HTTP Auth should
23:48:14 ' 62 add the class 'natively-supported' to forms requesting http authentication.
' 63 This will allow sites to easily detect native support and avoid running their
' 64 own JavaScript-based form-to-http-auth translators.
2010-10-27 pix 65 *** Logging Out
2010-10-27 pix 66 Forcing logout for users is left to a future version of this specification. See
04:18:01 ' 67 [tdm] for ideas.
2010-10-27 pix 68 ** References
2010-10-27 pix 69 * [tdm] :: Weaning the Web off of Session Cookies (Timothy Morgan, 26 Jan 2010)
04:18:01 ' 70 http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
' 71 * [peej] :: HTTP Authentication with HTML Forms (Paul James, 03 Feb 2006)
' 72 http://www.peej.co.uk/articles/http-auth-with-html-forms.html
' 73 * [ha] :: HTTP Authentication: Basic and Digest Authentication (RFC 2617, Jun 1999)
' 74 http://tools.ietf.org/html/rfc2617
' 75 * [w3] :: User Agent Authentication Forms (W3C Note, 03 Feb 1999)
' 76 http://www.w3.org/TR/NOTE-authentform
' 77 * flyspell :noexport:
' 78 LocalWords: UI LocalWords Firesheep peej authentform html tdm Login http login
' 79 LocalWords: username nonces pdf JavaScript auth JS natively logout xy darcs
2010-10-27 pix 80 // LocalWords: php
Sally sells sea-shells by the sea shore.