- From: <bugzilla@jessica.w3.org>
- Date: Fri, 28 Jan 2011 17:47:43 +0000
- To: public-html@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11912 Summary: HTML5 provides an opportunity to fix a long-running problem with HTTP Authentication. HTTP Authentication is important, because it is the only way to execute a request with 100% certainty that the user has provided an authentication secret. Furthermore, Product: HTML WG Version: unspecified Platform: Other URL: http://www.whatwg.org/specs/web-apps/current-work/#top OS/Version: other Status: NEW Severity: normal Priority: P3 Component: HTML5 spec (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: contributor@whatwg.org QAContact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-wg-issue-tracking@w3.org, public-html@w3.org Specification: http://www.w3.org/TR/html5/ Section: http://www.whatwg.org/specs/web-apps/current-work/#top Comment: HTML5 provides an opportunity to fix a long-running problem with HTTP Authentication. HTTP Authentication is important, because it is the only way to execute a request with 100% certainty that the user has provided an authentication secret. Furthermore, because the secret is transmitted with each request, it can be passed on to other authenticated services on the server-side. Because of its two shortcomings, HTTP authentication has been largely replaced with cookie-based authentication, which is not as secure or useful. We can fix this by addressing these two shortcomings with minimal additions to HTML: 1. There is currently no standard way to allow a user to submit HTTP authentication credentials using a web form embedded in the document. This causes the HTTP authentication process to appear disjointed from the document, which is generally not favored by web developers nor expected by users. I propose two additional form submission methods to address this: "auth-basic" and "auth-digest". These would cause the user agent to access the form's action URI (if it uses the http or https protocols), using the form's inputs -- which should be specially named as "username" and "password" -- as authentication credentials using the specified method. If the authentication is successful, the user agent would remember these credentials and retransmit them with each request to the same realm without the need for a WWW-Authenticate header. If the authentication is not successful, the server should transmit a 403 status code and either provide the form again in the response body, or transmit a WWW-Authenticate header which would cause the user agent to display its native authentication mechanism. 2. HTTP authentication does not provide a mechanism for instructing the user agent to forget its credentials -- in other words, a mechanism for the user to log out. Some user agents have started providing a way to forget credentials, but it is usually hidden in several levels of menus and dialog boxes. Internet Explorer provides a JavaScript mechanism for clearing the auth credentials: document.execCommand("ClearAuthenticationCache") (which I would argue ought to be standardized, but that is outside the scope of HTML). However, as long as one consideration is made to the form-based method described above, no additional features would be necessary to support logging out from within the application. If the user agent already has credentials for a given realm, and the user submits an "auth-basic" or "auth-digest" form with different credentials to the same realm, then the user agent should forget the original credentials and instead use the newly submitted ones. In the special case where empty credentials are submitted, the user agent should simply forget any existing credentials and stop transmitting credentials until new ones are supplied through a form or a WWW-Authenticate header. This way, a "log-out" button could simply be a form, with method="auth-basic" or "auth-digest", and hidden, empty fields in place of the credentials. When the submission button for this form is activated, the user will be logged out. HTTP Authentication is often regarded as a dinosaur, but in conjunction with SSL, it is vastly more secure and more useful than any other authentication mechanism used by web sites and web applications. When used properly, it can improve security across all backend services by using credential forwarding instead of, for example, storing database credentials on the server where they could be recovered and abused by a malicious person. The changes I have proposed are simply two additional "method" values for HTML forms, and a short specification of associated behavior which should be simple to implement and would eliminate all shortcomings of HTTP authentication. Please give serious consideration to my proposal. Thanks, Jeremy Smith <jeremy@blazonco.com> Posted from: 98.189.173.114 -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Friday, 28 January 2011 17:47:45 UTC