Re: Accessibility of Pages Requiring Sign-In from Samuel Rinnetmäki on 2004-07-27 (w3c-wai-ig@w3.org from July to September 2004)

From: Samuel Rinnetmäki <w3wai@puoli.net>
Date: Tue, 27 Jul 2004 15:54:57 +0300 (EEST)
To: WAI Interest Group <w3c-wai-ig@w3.org>
Message-ID: <Pine.LNX.4.44.0407271503090.5269-100000@mail.rumpalipoika.fi>

> 1) HTTP Basic Authentication
> there is no real way to "log out" without closing the user agent.

There is no "real way" but you could resend "Status: 401 Unauthorized".  
If the user then submits wrong or empty credentials, the browser will 
"forget" the old values.  This is almost impossible to explain to most 
of the users, but may be used in some environments. [1]

Many session based authentication systems are not much better: after 
logout they allow you to log back in by hitting back button until you 
get back to the point where the username and password were originally 
sent to the server. [2]

> 2) Cookie Authentication
> This would appear quite friendly from a user perspective, but what if 
> the user agent does not support cookies?

What does Cookie Authentication actually mean?  That you prompt users 
for username and password, and if user submits correct credentials, you 
start a session and store session ID (any kind of identifier) to a 
cookie?  If so, you could also append the session ID to all the links. 
[3] However, appending session ID information to the URLs may present 
additional security issues. [4]

Session based authentication allows you to create pages which may be 
accessed by all, but with some of the content visible only to users 
who have logged in succesfully.

In any case, consider whether the user may create working bookmarks to 
all protected resources.  When using HTTP Basic Authentication, this 
shouldn't be a problem.  Many session based authentication mechanisms 
require users to log in on a certain address, and after authentication
users are redirected to the main page - not to the page they originally 
requested.

Regards,

	Samuel

[1] E.g. PHPMyAdmin uses something similar, when configured to use HTTP 
Basic Auth.

[2] I send "303 See Other" as a response to POSTed request.

[3] E.g. PHP can be configured to try and guess whether cookies are 
supported by user's browser, and then use cookies or append session ID 
to URLs accordingly.

[4] If User sends an address of a page to Friend, and Friend copies the 
address to her browser, does Friend get to share User's session?  If you 
link to other sites or if you present banners on your site, may other 
parties misuse the session information possibly passed to them in the 
Referer header?

-- 
Samuel Rinnetmäki
samuel@iki.fi

Received on Tuesday, 27 July 2004 09:16:25 UTC