Re: [apps-discuss] [kitten] [saag] HTTP authentication: the next generation

Hi Everyone,

These last few messages do a great job outlining both the real
problems that face adoption of HTTP authentication without a
customizable user interface, and the fact that HTTP authentication is
perhaps more secure than form-based authentication (as well as being a
requirement for automated/non-GUI clients).

I did some work not long ago on this and found that we can have our
cake and eat it too.  That is, even with current browser
implementations, one can utilize HTTP Basic/Digest with an HTML form
(if desired).  (Yes, once again, HTML forms may allow for easier
phishing, etc, but that is what the HTTP Mutual authentication
proposal can address.)

My position paper is here:
  http://vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf

And some proof of concept code for forms-based HTTP authentication can
be found on this page:
  http://vsecurity.com/resources/tool


The implementation is hacky right now, because, at the time of
development and testing, browsers didn't adhere well to the draft
XMLHttpRequest standard.  I haven't checked the status of browser
implementations, but the proposed standard still requires a behavior
that is workable with such a system.


So all of these pieces are coming together on their own to allow for
forms-based HTTP authentication.  The major outstanding piece needed
for most web applications with HTTP authentication is the ability to
log out.  The ability to instruct a browser, in an standard way
(preferrably with HTTP response headers) to forget the credentials it
has cached.  Writing a draft RFC for this has been on my list for some
time, but I've been quite busy this year.  For those interested, I can
dig up some of the previous discussion threads...

cheers,
tim

Received on Monday, 13 December 2010 17:11:07 UTC