W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2004

[whatwg] Re: Web form and HTTP authentication

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 3 Dec 2004 21:32:55 +0000 (UTC)
Message-ID: <Pine.LNX.4.61.0412032130430.20176@dhalsim.dreamhost.com>
On Mon, 8 Nov 2004, Aaron Swartz wrote:
> My thinking was that the server would simply support both -- Digest
> Auth for WF2 UAs and standard insecure POST/cookie auth for old UAs.
> This would take a little extra coding but hardly seems insurmountable.

Digest Auth is insecure; the point of using HTTP auth for login instead of 
cookies wouldn't be to increase security, it would be to put the 
authentication information at the appropriate level. IMHO if we required 
authors to implement both HTTP auth and POST/cookie auth, they'd only do 
one, not both. There wouldn't be any advantage to doing both, really.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 3 December 2004 13:32:55 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:38 UTC