RE: XForms requirement 5.8: HTTP Authentication Front-end

Hi Bjoern,

This feature (along with all others in section 5) is for "future
consideration", and not being addressed as part of XForms 1.0.

For that particular feature, there are a number of security considerations,
such as indicating the difference between an "authentic" authorization form
and a "spoofed" one that tricks people into entering their password.

We're already beginning to look into aspects of XForms 2.0 (or whatever
version comes next). Feel free to share your thoughts.

Thanks,

.micah

-----Original Message-----
From: Bjoern Hoehrmann [mailto:derhoermi@gmx.net]
Sent: Saturday, May 25, 2002 3:58 PM
To: www-forms@w3.org; www-html@w3.org
Subject: XForms requirement 5.8: HTTP Authentication Front-end


Hi,

I'd like to know what happend to requirement 5.8 of the XHTML Forms
Requirements document [1]:

[...]
  5.8 HTTP Authentication Front-end

    Current user agents typically implement HTTP authentication with a
    pop-up window requesting name and password. It should be possible
    for XForms to be used as a front end for HTTP authentication.
[...]

There are many people who use different ways of authentication
management on web sites, essentially cookies or proprietary means
of "session tracking", e.g. appending some session id to all URIs
after the user once has logged into the site using some HTML form.
Many of them do so, because HTTP authentication as commonly implemented
into browsers does not fit their design and/or usability demands. I
think this is a unnecessary, sometimes harmful abuse of technology and
have hoped, XHTML 2.0 could make a change considering it's XForms
integration.

The latest draft does not discuss this feature, so I fear XForms 1.0
and/or it's integration into XHTML 2.0 will not enable web page authors
to use XForms for HTTP authentication. Is this true and if yes, why?

[1] http://www.w3.org/TR/2001/WD-xhtml-forms-req-20010404

regards.

Received on Tuesday, 28 May 2002 18:17:56 UTC