W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Solving the login/logout problem in HTML

From: Martin Atkins <mart@degeneration.co.uk>
Date: Wed, 26 Nov 2008 14:35:46 -0800
Message-ID: <492DCF42.3080708@degeneration.co.uk>
Asbj?rn Ulsberg wrote:
> 
>  [Request 1]
> 
>  GET /administration/ HTTP/1.1
> 
> 
>  [Response 1]
> 
>  HTTP/1.1 401 Unauthorized
>  WWW-Authenticate: HTML realm="Administration"
> 
>  <!DOCTYPE html>
>  <html>
>    ....
>    <form action="/login">
>      <input name="username">
>      <input type="password" name="password">
>      <input type="submit">
>    </form>
>  </html>
> 
> 
>  [Request 2]
> 
>  POST /login HTTP/1.1
> 
>  username=admin&password=secret
> 
> 
>  [Response 2]
> 
>  HTTP/1.1 302 Found
>  Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration"
>  Location: /administration/
>  
> 
>  [Request 3]
> 
>  GET /administration/ HTTP/1.1
>  Authorization: HTML QWxhZGRpbjpvcGVuIHNlc2FtZQ== realm="Administration"
> 
>  [Response 3]
> 
>  HTTP/1.1 200 OK
> 
>  <!DOCTYPE html>
>  <html>
>    ...
>    <h1>Welcome!</h1>
>  </html>
> 
> The twist here is that it is up to the server to provide the 
> authentication token and through the 'Authorization' header, give the 
> client a way to authorize future requests.

Your auth token here seems to me to be equivalent to a session cookie.

If you change the "Authorization" header in Response 2 to "Set-Cookie" 
(and make some syntactic adjustments) then this doesn't require any 
changes to how deployed apps handle sessions today.
Received on Wednesday, 26 November 2008 14:35:46 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC