W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2010

[whatwg] Form-based HTTP Authentication Proof of Concept

From: Bil Corry <bil@corry.biz>
Date: Sat, 06 Mar 2010 20:55:16 -0800
Message-ID: <4B9331B4.2060900@corry.biz>
Kornel Lesinski wrote on 2/25/2010 6:04 PM: 
> On Thu, 25 Feb 2010 16:00:37 -0000, Timothy D. Morgan
> <tmorgan at vsecurity.com> wrote:
> 
>> As a follow up to my paper advocating HTTP authentication over
>> cookies [1], I've built a simple sample application which demonstrates
>> how a combination of XMLHttpRequest and response code tricks can be
>> used to achieve form-based login, logout, and authenticated password
>> changes in the four most popular browsers:
>>   http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip
>>
>> Note that this is achieved without using any checks to determine what
>> browser is being used.
>>
>> While this is promising, I still think we should have an HTTP-based
>> log out mechanism.  In addition, the proposed W3C change to
>> XMLHttpRequest authentication behavior will make this code much
>> simpler.
> 
> FIY a while ago I've implemented proof-of-concept as well, but by using
> URLs with login/password:
> 
> http://geekhood.net/auth/
> 
> Those two approaches combined could offer solution with good user
> experience and working non-JS fallback.
> 

Internet Explorer disallows username:password in URLs due to phishing, or so I recall.  I tried your example with IE8 and it didn't work.  Worked great in FF3.6 with JavaScript disabled.  Might be something to use as a fallback method when JavaScript is disabled and the user is using FF or another compatible browser.


- Bil
Received on Saturday, 6 March 2010 20:55:16 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC