Re: Customizing the authentication dialog from David W. Morris on 1997-12-15 (ietf-http-wg@w3.org from October to December 1997)

From: David W. Morris <dwm@xpasc.com>
Date: Mon, 15 Dec 1997 15:08:54 -0800 (PST)
To: Dave Kristol <dmk@bell-labs.com>
Cc: Scott Lawrence <lawrence@agranat.com>, Eric_Houston/CAM/Lotus@lotus.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.GSO.3.96.971215150301.8810C-100000@shell1.aimnet.com>

On Mon, 15 Dec 1997, Dave Kristol wrote:

> Scott Lawrence wrote:
> > 
> > > Could the spec allow for customization of the authentication dialog?
> > 
> >   The only customization allowed for is the value of the realm, which
> >   should be displayed to the user (if any) if challenging for the
> >   credentials.  In thinking about customizing this, bear in mind that some
> >   clients will not be browsers and will not have human users.
> 
> FWIW, ages ago I asked for (and was denied) the addition of a "prompt"
> attribute, which would have been (one of) the thing the user saw in the
> dialog box.  The argument against at the time was, I think, that such an
> attribute could be used by a malicious server to fool the user into
> giving credentials for a spoofed authentication domain.
> 
> Notwithstanding that valid criticism, I still think a "prompt" attribute
> could be useful.  In one application I wrote, users have to register
> before they can gain access to "protected" documents.  The project, and
> hence the realm, is "SEPTEMBER".  But to remind users that they have to
> register first, I had to make the HTTP realm attribute be "SEPTEMBER
> (You must have registered)", so browsers would present that string, and
> users would get the useful hint.

I agree, I think quite a few web applications end up doing their own
authentication simply because the default prompt is unfriendly.

Specification of a prompt doesn't need to mean replacement of the
existing prompt. Perhaps rather than prompt, what could be specified
would be a comment to be included in the login dialog box. By calling
it a comment (or realm description) and requiring continued presentation
of the server name and realm I think there is no valid criticism.

Since the REALM still governs the process, non-human clients would
have no conflict.

It would also be very useful if user agents would allow the user to
review the body associated with the 401 response WITHOUT canceling
the authentication prompt.

In any case, this seems well out of bounds for what we can consider
for HTTP/1.1 ... or does the apparent undocking of authentication
leave more wiggle room?

Dave Morris

Received on Monday, 15 December 1997 15:14:31 UTC