- From: Thomas Broyer <t.broyer@gmail.com>
- Date: Sat, 24 Oct 2009 16:33:52 +0200
- To: Sylvain Hellegouarch <sh@defuze.org>
- Cc: ietf-http-wg@w3.org
On Sat, Oct 24, 2009 at 3:17 PM, Sylvain Hellegouarch wrote: > Thomas Broyer a écrit : >> >> Help me advancing and finishing "HTTP Cookie Auth" ;-) >> http://tools.ietf.org/html/draft-broyer-http-cookie-auth >> http://hg.ltgt.net/http-cookie-auth/ > > Hi Thomas, > > This is indeed a good starting point. I went through your proposal and I'm a > bit unclear about the actual end-to-end workflow performed by the UA. I'm > not sure to understand how the different directives would be applied. Think of how HTML form and cookie-based auth is done today. Now: 1. replace any "redirect to login form" with either a 3xx "Unauthorized, See Other" (to be defined, in preparation for the -01 draft, would need a <meta>-refresh for backwards compat though) or, better, a 401 with the HTML form (some form-based auth already use 200 with no-cache). 2. serve the HTML login page with a 401 and a WWW-Authentication: Cookie. The only required field is the realm (per RFC 2617), fields about the cookie(s) are RECOMMENDED, and fields about the form (-01 will add two fields to make "machine driven" auth easier, without having to parse the response body, which might not even be HTML with a form) are OPTIONAL (because http-cookie-auth doesn't even require that there is a "form" to be submitted; the cookie could be set by any mean, including some JS or Flash or ... included in the 401 response). 3. there's no Authorization request header entering into play, the Cookie header is enough to convey credentials (which means authenticated responses should be sent with the appropriate Vary: Cookie and Cache-Control: private headers). http-cookie-auth is totally backwards compatible (except unfortunately with Opera pre-10.0, as Opera will then display an error page about the auth scheme not being supported); and should require only very minimal changes to any existing cookie-based auth (including SSOs). I'm successfully using a similar, custom, auth scheme in an enterprise app; which I plan to migrate to http-cookie-auth when it will be "stable" enough. And now let's continue this discussion in private (and in French ;-) ) or on ietf-http-auth@osafoundation.org ;-) -- Thomas Broyer /tɔ.ma.bʁwa.je/
Received on Saturday, 24 October 2009 14:34:26 UTC