W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2010

[whatwg] Form-based HTTP Authentication Proof of Concept

From: Kornel Lesinski <kornel@geekhood.net>
Date: Fri, 26 Feb 2010 02:04:51 -0000
Message-ID: <op.u8ppa7hyptj49s@aimac.local>
On Thu, 25 Feb 2010 16:00:37 -0000, Timothy D. Morgan  
<tmorgan at vsecurity.com> wrote:

> As a follow up to my paper advocating HTTP authentication over
> cookies [1], I've built a simple sample application which demonstrates
> how a combination of XMLHttpRequest and response code tricks can be
> used to achieve form-based login, logout, and authenticated password
> changes in the four most popular browsers:
>   http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip
>
> Note that this is achieved without using any checks to determine what
> browser is being used.
>
> While this is promising, I still think we should have an HTTP-based
> log out mechanism.  In addition, the proposed W3C change to
> XMLHttpRequest authentication behavior will make this code much
> simpler.

FIY a while ago I've implemented proof-of-concept as well, but by using  
URLs with login/password:

http://geekhood.net/auth/

Those two approaches combined could offer solution with good user  
experience and working non-JS fallback.

-- 
regards, Kornel Lesi?ski
Received on Thursday, 25 February 2010 18:04:51 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC