W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2010

[whatwg] Form-based HTTP Authentication Proof of Concept

From: Timothy D. Morgan <tmorgan@vsecurity.com>
Date: Thu, 25 Feb 2010 08:00:37 -0800
Message-ID: <20100225160037.GW2153@sentinelchicken.org>

Hello,

As a follow up to my paper advocating HTTP authentication over 
cookies [1], I've built a simple sample application which demonstrates
how a combination of XMLHttpRequest and response code tricks can be 
used to achieve form-based login, logout, and authenticated password
changes in the four most popular browsers:                   
  http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip

Note that this is achieved without using any checks to determine what 
browser is being used.

While this is promising, I still think we should have an HTTP-based 
log out mechanism.  In addition, the proposed W3C change to 
XMLHttpRequest authentication behavior will make this code much 
simpler.

cheers,
tim


1. http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
Received on Thursday, 25 February 2010 08:00:37 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC