[Bug 11912] New: HTML5 provides an opportunity to fix a long-running problem with HTTP Authentication. HTTP Authentication is important, because it is the only way to execute a request with 100% certainty that the user has provided an authentication secret. Furthermore,

http://www.w3.org/Bugs/Public/show_bug.cgi?id=11912

           Summary: HTML5 provides an opportunity to fix a long-running
                    problem with HTTP Authentication.  HTTP Authentication
                    is important, because it is the only way to execute a
                    request with 100% certainty that the user has provided
                    an authentication secret.  Furthermore,
           Product: HTML WG
           Version: unspecified
          Platform: Other
               URL: http://www.whatwg.org/specs/web-apps/current-work/#top
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P3
         Component: HTML5 spec (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: contributor@whatwg.org
         QAContact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org


Specification: http://www.w3.org/TR/html5/
Section: http://www.whatwg.org/specs/web-apps/current-work/#top

Comment:
HTML5 provides an opportunity to fix a long-running problem with HTTP
Authentication.  HTTP Authentication is important, because it is the only way
to execute a request with 100% certainty that the user has provided an
authentication secret.    Furthermore, because the secret is transmitted with
each request, it can be passed on to other authenticated services on the
server-side.

Because of its two shortcomings, HTTP authentication has been largely replaced
with cookie-based authentication, which is not as secure or useful.  We can
fix this by addressing these two shortcomings with minimal additions to HTML:

1. There is currently no standard way to allow a user to submit HTTP
authentication credentials using a web form embedded in the document.  This
causes the HTTP authentication process to appear disjointed from the document,
which is generally not favored by web developers nor expected by users.  I
propose two additional form submission methods to address this: "auth-basic"
and "auth-digest".  These would cause the user agent to access the form's
action URI (if it uses the http or https protocols), using the form's inputs
-- which should be specially named as "username" and "password" -- as
authentication credentials using the specified method.    If the authentication
is successful, the user agent would remember these credentials and retransmit
them with each request to the same realm without the need for a
WWW-Authenticate header.  If the authentication is not successful, the server
should transmit a 403 status code and either provide the form again in the
response body, or transmit a WWW-Authenticate header which would cause the
user agent to display its native authentication mechanism.

2. HTTP authentication does not provide a mechanism for instructing the user
agent to forget its credentials -- in other words, a mechanism for the user to
log out.  Some user agents have started providing a way to forget credentials,
but it is usually hidden in several levels of menus and dialog boxes. 
Internet Explorer provides a JavaScript mechanism for clearing the auth
credentials: document.execCommand("ClearAuthenticationCache") (which I would
argue ought to be standardized, but that is outside the scope of HTML). 
However, as long as one consideration is made to the form-based method
described above, no additional features would be necessary to support logging
out from within the application.  If the user agent already has credentials
for a given realm, and the user submits an "auth-basic" or "auth-digest" form
with different credentials to the same realm, then the user agent should
forget the original credentials and instead use the newly submitted ones.  In
the special case where empty credentials are submitted, the user agent should
simply forget any existing credentials and stop transmitting credentials until
new ones are supplied through a form or a WWW-Authenticate header.  This way,
a "log-out" button could simply be a form, with method="auth-basic" or
"auth-digest", and hidden, empty fields in place of the credentials.  When the
submission button for this form is activated, the user will be logged out.

HTTP Authentication is often regarded as a dinosaur, but in conjunction with
SSL, it is vastly more secure and more useful than any other authentication
mechanism used by web sites and web applications.  When used properly, it can
improve security across all backend services by using credential forwarding
instead of, for example, storing database credentials on the server where they
could be recovered and abused by a malicious person.  The changes I have
proposed are simply two additional "method" values for HTML forms, and a short
specification of associated behavior which should be simple to implement and
would eliminate all shortcomings of HTTP authentication.  Please give serious
consideration to my proposal.

Thanks,
Jeremy Smith <jeremy@blazonco.com>

Posted from: 98.189.173.114

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Received on Friday, 28 January 2011 17:47:45 UTC