- From: Kornel Lesinski <kornel@geekhood.net>
- Date: Fri, 26 Feb 2010 02:04:51 -0000
On Thu, 25 Feb 2010 16:00:37 -0000, Timothy D. Morgan <tmorgan at vsecurity.com> wrote: > As a follow up to my paper advocating HTTP authentication over > cookies [1], I've built a simple sample application which demonstrates > how a combination of XMLHttpRequest and response code tricks can be > used to achieve form-based login, logout, and authenticated password > changes in the four most popular browsers: > http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip > > Note that this is achieved without using any checks to determine what > browser is being used. > > While this is promising, I still think we should have an HTTP-based > log out mechanism. In addition, the proposed W3C change to > XMLHttpRequest authentication behavior will make this code much > simpler. FIY a while ago I've implemented proof-of-concept as well, but by using URLs with login/password: http://geekhood.net/auth/ Those two approaches combined could offer solution with good user experience and working non-JS fallback. -- regards, Kornel Lesi?ski
Received on Thursday, 25 February 2010 18:04:51 UTC