[whatwg] Web form and HTTP authentication from Mark Nottingham on 2004-08-27 (public-whatwg-archive@w3.org from August 2004)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 26 Aug 2004 22:54:40 -0700
Message-ID: <9656E592-F7ED-11D8-82BE-000A95BD86C0@mnot.net>

Mike Dierken pointed this out as well:
   http://www.w3.org/TR/NOTE-authentform

(I haven't looked at it in depth yet, but it appears to be a concrete 
proposal along these lines)


On Aug 25, 2004, at 11:12 PM, Mark Nottingham wrote:

> Hi,
>
> I was wondering if there's been any discussion of adding HTTP 
> authentication capabilities to Web forms or other products of the WG 
> (If there has, apologies in advance; I think the work happening here 
> is important, but I don't have the time to track it closely).
>
> For example, I could imagine having form controls or widgets to:
>   - remove a site's authentication state from the browser when 
> activated (i.e., a "log out" interface)
>   - add user data to a site's authentication state in the browser 
> (i.e., "log on" interfaces)
>   - display the user's current authentication state
>
> There are a few good reasons to do this. Many sites use cookies to 
> authenticate users, because HTTP authentication doesn't have any 
> mechanism to allow logging out (a key requirement of financial 
> institutions and other sensitive applications), and because the UI for 
> HTTP authentication can't be controlled, and doesn't offer an 
> "anyonymous" / "not logged in" view.
>
> By accommodating HTTP authentication in Web forms, it will be possible 
> to have styled, custom "log on" interfaces as part of pages, as well 
> as "log out" facilities, while still retaining the benefits of HTTP 
> authentication.
>
> Specifically, HTTP authentication is more secure than cookies (when 
> Digest auth is used), and is more amenable to automated processes 
> (agents, spiders, etc.) as well as alternate browsing devices (screen 
> readers, etc.).
>
> What do people think? I understand that Web forms 2.0 is probably too 
> advanced for this, but I'd love to see something happen in this area 
> eventually. Also, the security aspects would need to be handled 
> carefully, but I think that if it's done properly, it could be a huge 
> benefit to the Web as well as Web forms.
>
> Cheers,
>
> --
> Mark Nottingham     http://www.mnot.net/
>

--
Mark Nottingham     http://www.mnot.net/

Received on Thursday, 26 August 2004 22:54:40 UTC