W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2004

[whatwg] connecting usernames and passwords

From: Matthew Thomas <mpt@myrealbox.com>
Date: Fri, 17 Dec 2004 21:50:06 +1300
Message-ID: <A62921C2-5008-11D9-9523-000A95AD3972@myrealbox.com>
On 17 Dec, 2004, at 6:08 PM, Ian Hickson wrote:
>
> On Fri, 17 Dec 2004, Matthew Thomas wrote:
>>
>> Future browsers could, instead of displaying an alert for HTTP
>> authentication, provide the authentication UI in a panel at the top of
>> the non-authenticated page (fixing annoying modality issues in the
>> process). That wouldn't require any change to HTTP authentication
>> either.
>
> A very interesting idea. The problem with that is that if you show the
> 401 page at the moment, you'll get something like:
>
>     401 UNAUTHORIZED
>
>     YOU DO NOT HAVE THE PROPER PERMISSIONS
>
>
>
>    ___________________________________________________________
>     Username: [_____]  Password: [_______]   (Login)      [X]

Well since I said "at the top of the non-authenticated page", and since 
~70 percent of sites use Apache, most of the time it would look more 
like this ...
  ____________________________________________________________
| Committee Members Area         ID: [          ]            |
| foo.example.org          Password: [          ] ( Log In ) |
|""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""|
|                                                            |
| AUTHENTICATION REQUIRED                                    |
:                                                            :

.... which would be quite okay, since "authentication required" isn't 
contradicting anything. (Further, a really earnest browser might delay 
rendering of any unauthorized page to prevent FOUC, and then display 
the unauthenticated page only if it didn't contain the case-insensitive 
regexp "401*.unauthorized". That would be weird, but hardly weirder 
than Internet Explorer's current length-based overriding of server 
error messages.)

> ...
> We could get around that by saying that you can include
> WWW-Authenticate headers with 200 OK responses as well (nothing in
> HTTP seems to say you can't), and that if you do, then the bar is
> shown as above ("interactive user agents should provide a non-modal
> authentication interface"). Then, if you've already sent your
> credentials and you get a 401, then you get the 401 page and the bar,
> instead of the modal dialog.
> ...

Yes, that's a simpler option. :-) (Provided that current browsers still 
ask for authentication even when given a 200 OK.)

-- 
Matthew Thomas
http://mpt.net.nz/
Received on Friday, 17 December 2004 00:50:06 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:38 UTC