- From: Kornel Lesinski <kornel@geekhood.net>
- Date: Tue, 21 Oct 2008 20:07:35 +0100
You're re-inventing Digest authentication (RFC 2617). Digest has two-way authentication with hashed challenge-response, nonces, can use passwords stored as hashes (though not as secure as storage for plaintext auth), avoids insecurity of cookies and even has simple data integrity verification. ...and it's all futile if attacker can modify a single byte sent over the network. Anyway, it doesn't make sense to duplicate all that functionality in forms just because typical interface for HTTP authentication is ugly and unusable. You can fix the interface, and there's proposal for it already (from 1999!): http://www.w3.org/TR/NOTE-authentform I think that proposal is generally a good idea, but the details could be improved (i.e. should reuse existing forms and input types rather than creating new ones that can't offer seamless fallback). -- regards, Kornel Lesinski
Received on Tuesday, 21 October 2008 12:07:35 UTC