- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 25 Aug 2004 23:12:39 -0700
Hi, I was wondering if there's been any discussion of adding HTTP authentication capabilities to Web forms or other products of the WG (If there has, apologies in advance; I think the work happening here is important, but I don't have the time to track it closely). For example, I could imagine having form controls or widgets to: - remove a site's authentication state from the browser when activated (i.e., a "log out" interface) - add user data to a site's authentication state in the browser (i.e., "log on" interfaces) - display the user's current authentication state There are a few good reasons to do this. Many sites use cookies to authenticate users, because HTTP authentication doesn't have any mechanism to allow logging out (a key requirement of financial institutions and other sensitive applications), and because the UI for HTTP authentication can't be controlled, and doesn't offer an "anyonymous" / "not logged in" view. By accommodating HTTP authentication in Web forms, it will be possible to have styled, custom "log on" interfaces as part of pages, as well as "log out" facilities, while still retaining the benefits of HTTP authentication. Specifically, HTTP authentication is more secure than cookies (when Digest auth is used), and is more amenable to automated processes (agents, spiders, etc.) as well as alternate browsing devices (screen readers, etc.). What do people think? I understand that Web forms 2.0 is probably too advanced for this, but I'd love to see something happen in this area eventually. Also, the security aspects would need to be handled carefully, but I think that if it's done properly, it could be a huge benefit to the Web as well as Web forms. Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 25 August 2004 23:12:39 UTC