Wed Oct 27 04:40:07 UTC 2010 pix@kepibu.org

* Update for nicer html export

--- old-httpauth/notes.org 2013-07-22 16:06:14.000000000 +0000

+++ new-httpauth/notes.org 2013-07-22 16:06:14.000000000 +0000

@@ -1,5 +1,5 @@

-* Site-Controlled HTTP Authentication UI

-** Motivation

+#+TITLE: Site-Controlled HTTP Authentication UI

+* Motivation

HTTP Authentication is significantly less fundamentally broken than cookie-based

authentication. And, while I've been meaning to write this up for years, the

recent release of [[http://codebutler.com/firesheep][Firesheep]] has brought the issue to the fore once again.

@@ -14,8 +14,8 @@

This is my proposal to make HTTP Authentication website-controlled, while

remaining backwards compatible with form-based authentication in browsers which

do not support the proposal.

-** Proposal

-*** HTML Forms

+* Proposal

+** HTML Forms

Login forms need add only a single class to their <form> tag:

"http-authentication". This class signals to the browser that it should use the

"username" and "password" fields for this form as the corresponding fields in

@@ -27,7 +27,7 @@

Any fields in the login form not understood by the browser as part of a login

request MUST be submitted as normal for the provided form.

-*** Changes to RFC 2617

+** Changes to RFC 2617

WWW-Authenticate headers MAY be sent along with 2xy and 3xy responses to

indicate that a page supports optional authentication. Vary: Authorization and

appropriate Cache-Control headers should be used when doing so to allow caches

@@ -36,7 +36,7 @@

A browser using form-based HTTP Authentication MAY use data acquired from a

WWW-Authenticate header sent with the form to authenticate itself without the

additional round-trip that would otherwise be required.

-*** Stopgap Measure

+** Stopgap Measure

To use this feature before sites implement it, sites may use JavaScript

techniques along the lines of [peej] to silently force the browser into HTTP

Authentication.

@@ -46,7 +46,7 @@

measure and can be fetched as a darcs repository via the command

: darcs get http://repo.kepibu.org/httpauth/

-*** Working with the Stopgap Measure in Browsers that Support This Spec

+** Working with the Stopgap Measure in Browsers that Support This Spec

Assuming sites implement the stopgap measure, and browsers later introduce

native support for this specification, it becomes important for browsers and

sites to communicate with each other about who is in charge of handling the

@@ -62,10 +62,10 @@

add the class 'natively-supported' to forms requesting http authentication.

This will allow sites to easily detect native support and avoid running their

own JavaScript-based form-to-http-auth translators.

-*** Logging Out

+** Logging Out

Forcing logout for users is left to a future version of this specification. See

[tdm] for ideas.

-** References

+* References

* [tdm] :: Weaning the Web off of Session Cookies (Timothy Morgan, 26 Jan 2010)

http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf

* [peej] :: HTTP Authentication with HTML Forms (Paul James, 03 Feb 2006)

@@ -77,4 +77,4 @@

* flyspell :noexport:

LocalWords: UI LocalWords Firesheep peej authentform html tdm Login http login

LocalWords: username nonces pdf JavaScript auth JS natively logout xy darcs

-// LocalWords: php

+LocalWords: php