W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Solving the login/logout problem in HTML

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 27 Nov 2008 00:13:13 +0100
Message-ID: <492DD809.8080404@gmx.de>
Martin Atkins wrote:
> ...
> By that line of reasoning, you could equally argue that sites don't need 
> this authentication scheme at all since they do just fine without it today.
> 
> I think this new authentication scheme is most interesting when used in 
> conjunction with other schemes, because it allows the same endpoint to 
> be used for both browsers and other non-browser agents.
> ...

That would be nice in theory, but will be tricky to deploy. The current 
proposal may fly because it doesn't require browsers to change (well, at 
least as long as they display the response body when the auth scheme is 
unknown -- which AFAIU is the case for FF and IE).

Once you add a *known* scheme such as Basic or Digest, you'll get the 
authentication dialogue box most site designers want to avoid.

> One use-case, which I hinted at in my message, is pages that contain 
> data annotated with microformats. These are useful both to browsers and 
> non-browser agents, but today it's cumbersome to use microformats on 
> pages that require authentication to view, since it is difficult for a 
> non-browser agent to figure out how to log in to an arbitrary site 
> without human intervention.

Yes, that's the same case as spiders, WebDAV, feed readers, calendaring 
clients, whatnot.

> I went ahead and did some basic testing of this case, anyway.
> 
> For my initial test, I arranged for my server to send a response like this:
> 
> ---------------------------------------------------
> HTTP/1.0 401 Unauthorized
> Content-type: text/html
> WWW-Authenticate: HTML form="login"
> WWW-Authenticate: Basic realm="test thing"
> 
> <html>
> <head>
> <title>Log in</title>
> </head>
> <body>
> 
> <h1>Log in</h1>
> 
> <form name="login" action="/login.cgi?return_to=/testauth.cgi">
> <div>Username: <input type="text" name="u" /></div>
> <div>Password: <input type="text" name="p" /></div>
> </form>
> 
> </body>
> </html>
> ---------------------------------------------------
> 
> This case didn't turn out so well:
> * IE7: Displayed Basic login dialog
> * F3: Displayed Basic login dialog
> * O9.5: Displayed Basic login dialog

Yes.

> In all cases, hitting Cancel on the login dialog caused the body to be 
> rendered as a normal page, which is better than nothing but not really 
> ideal.
> 
> I swapped the ordering so that Basic came before HTML, but the results 
> were the same. (as you'd expect.)
> 
> I figured though that in most cases if your two types of clients are 
> browsers and non-browser clients, it's quite likely that the non-browser 
> clients will be using OAuth rather than Basic authentication, since that 
> seems to be the "big thing" right now. I swapped out "Basic" for "OAuth" 
> in my second WWW-Authenticate header above, and the results were more 
> promising:
> 
> * IE7: Rendered the response body as a normal page
> * F3: Rendered the response body as a normal page
> * O9.5: Displayed an error: "The server requested an authentication 
> method that is not supported."

Yes, once the 'other' authentication scheme is "new" as well, this may work.

> ...

BR, Julian
Received on Wednesday, 26 November 2008 15:13:13 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC