- From: Bil Corry <bil@corry.biz>
- Date: Sat, 06 Mar 2010 20:55:16 -0800
Kornel Lesinski wrote on 2/25/2010 6:04 PM: > On Thu, 25 Feb 2010 16:00:37 -0000, Timothy D. Morgan > <tmorgan at vsecurity.com> wrote: > >> As a follow up to my paper advocating HTTP authentication over >> cookies [1], I've built a simple sample application which demonstrates >> how a combination of XMLHttpRequest and response code tricks can be >> used to achieve form-based login, logout, and authenticated password >> changes in the four most popular browsers: >> http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip >> >> Note that this is achieved without using any checks to determine what >> browser is being used. >> >> While this is promising, I still think we should have an HTTP-based >> log out mechanism. In addition, the proposed W3C change to >> XMLHttpRequest authentication behavior will make this code much >> simpler. > > FIY a while ago I've implemented proof-of-concept as well, but by using > URLs with login/password: > > http://geekhood.net/auth/ > > Those two approaches combined could offer solution with good user > experience and working non-JS fallback. > Internet Explorer disallows username:password in URLs due to phishing, or so I recall. I tried your example with IE8 and it didn't work. Worked great in FF3.6 with JavaScript disabled. Might be something to use as a fallback method when JavaScript is disabled and the user is using FF or another compatible browser. - Bil
Received on Saturday, 6 March 2010 20:55:16 UTC