- From: Samuel Rinnetmäki <w3wai@puoli.net>
- Date: Tue, 27 Jul 2004 15:54:57 +0300 (EEST)
- To: WAI Interest Group <w3c-wai-ig@w3.org>
> 1) HTTP Basic Authentication > there is no real way to "log out" without closing the user agent. There is no "real way" but you could resend "Status: 401 Unauthorized". If the user then submits wrong or empty credentials, the browser will "forget" the old values. This is almost impossible to explain to most of the users, but may be used in some environments. [1] Many session based authentication systems are not much better: after logout they allow you to log back in by hitting back button until you get back to the point where the username and password were originally sent to the server. [2] > 2) Cookie Authentication > This would appear quite friendly from a user perspective, but what if > the user agent does not support cookies? What does Cookie Authentication actually mean? That you prompt users for username and password, and if user submits correct credentials, you start a session and store session ID (any kind of identifier) to a cookie? If so, you could also append the session ID to all the links. [3] However, appending session ID information to the URLs may present additional security issues. [4] Session based authentication allows you to create pages which may be accessed by all, but with some of the content visible only to users who have logged in succesfully. In any case, consider whether the user may create working bookmarks to all protected resources. When using HTTP Basic Authentication, this shouldn't be a problem. Many session based authentication mechanisms require users to log in on a certain address, and after authentication users are redirected to the main page - not to the page they originally requested. Regards, Samuel [1] E.g. PHPMyAdmin uses something similar, when configured to use HTTP Basic Auth. [2] I send "303 See Other" as a response to POSTed request. [3] E.g. PHP can be configured to try and guess whether cookies are supported by user's browser, and then use cookies or append session ID to URLs accordingly. [4] If User sends an address of a page to Friend, and Friend copies the address to her browser, does Friend get to share User's session? If you link to other sites or if you present banners on your site, may other parties misuse the session information possibly passed to them in the Referer header? -- Samuel Rinnetmäki samuel@iki.fi
Received on Tuesday, 27 July 2004 09:16:25 UTC