- From: Dave Kristol <dmk@bell-labs.com>
- Date: Mon, 15 Dec 1997 14:48:40 -0500
- To: Scott Lawrence <lawrence@agranat.com>
- Cc: Eric_Houston/CAM/Lotus@lotus.com, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Scott Lawrence wrote: > > > Could the spec allow for customization of the authentication dialog? > > The only customization allowed for is the value of the realm, which > should be displayed to the user (if any) if challenging for the > credentials. In thinking about customizing this, bear in mind that some > clients will not be browsers and will not have human users. FWIW, ages ago I asked for (and was denied) the addition of a "prompt" attribute, which would have been (one of) the thing the user saw in the dialog box. The argument against at the time was, I think, that such an attribute could be used by a malicious server to fool the user into giving credentials for a spoofed authentication domain. Notwithstanding that valid criticism, I still think a "prompt" attribute could be useful. In one application I wrote, users have to register before they can gain access to "protected" documents. The project, and hence the realm, is "SEPTEMBER". But to remind users that they have to register first, I had to make the HTTP realm attribute be "SEPTEMBER (You must have registered)", so browsers would present that string, and users would get the useful hint. Dave Kristol
Received on Monday, 15 December 1997 11:51:11 UTC