W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Customizing the authentication dialog

From: Dave Kristol <dmk@bell-labs.com>
Date: Mon, 15 Dec 1997 14:48:40 -0500
Message-Id: <34958998.167EB0E7@bell-labs.com>
To: Scott Lawrence <lawrence@agranat.com>
Cc: Eric_Houston/CAM/Lotus@lotus.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Scott Lawrence wrote:
> 
> > Could the spec allow for customization of the authentication dialog?
> 
>   The only customization allowed for is the value of the realm, which
>   should be displayed to the user (if any) if challenging for the
>   credentials.  In thinking about customizing this, bear in mind that some
>   clients will not be browsers and will not have human users.

FWIW, ages ago I asked for (and was denied) the addition of a "prompt"
attribute, which would have been (one of) the thing the user saw in the
dialog box.  The argument against at the time was, I think, that such an
attribute could be used by a malicious server to fool the user into
giving credentials for a spoofed authentication domain.

Notwithstanding that valid criticism, I still think a "prompt" attribute
could be useful.  In one application I wrote, users have to register
before they can gain access to "protected" documents.  The project, and
hence the realm, is "SEPTEMBER".  But to remind users that they have to
register first, I had to make the HTTP realm attribute be "SEPTEMBER
(You must have registered)", so browsers would present that string, and
users would get the useful hint.

Dave Kristol
Received on Monday, 15 December 1997 11:51:11 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:05 EDT