HTTP Authentication and Forms
Thursday, 26 August 2004
It’s no secret that HTTP authentication isn’t used as often as it should be. When I talk to Web developers, there are usually a few reasons for their use of cookies for authentication;
- HTTP authentication doesn’t provide any way to “log out” a user
- HTTP authentication doesn’t have a customizable login UI like that provided by HTML forms
- HTTP authentication doesn’t allow a login to span multiple domains like cookies
- HTTP authentication isn’t secure anyway
Those last two reasons can be solved by using HTTP Digest Authentication — which has been widely supported for quite some time — but the first two are fair criticisms.
I’ve been frustrated by this for a while, but the other day it occurred to me that we might have an opportunity to fix it in Web Forms, by coming up form controls or widgets to:
- remove a site’s authentication state from the browser when activated (i.e., a “log out” interface)
- add user data to a site’s authentication state in the browser (i.e., “log on” interfaces)
- display the user’s current authentication state
If the security-related aspects were handled carefully, I think this has a chance to reduce unnecessary use of cookies, improve security, accessibility and even cacheability, make things easier for automated Web agents, all in one go.
I’ve mentioned it to the WHAT WG. If this seems like a good idea, give them a nudge.
22 Comments
Ian Bicking said:
Thursday, August 26 2004 at 3:11 AM
Mark Nottingham said:
Thursday, August 26 2004 at 3:19 AM
Marc g said:
Thursday, August 26 2004 at 3:29 AM
Peter Herndon said:
Thursday, August 26 2004 at 3:49 AM
Simon Willison said:
Thursday, August 26 2004 at 4:01 AM
Mark Nottingham said:
Thursday, August 26 2004 at 4:12 AM
Mike D said:
Thursday, August 26 2004 at 10:00 AM
Mike D said:
Thursday, August 26 2004 at 10:10 AM
Mike D said:
Thursday, August 26 2004 at 10:13 AM
Mark Nottingham said:
Thursday, August 26 2004 at 10:56 AM
Bill Seitz said:
Friday, August 27 2004 at 6:48 AM
anthony baxter said:
Friday, August 27 2004 at 10:58 AM
anthony baxter said:
Friday, August 27 2004 at 11:00 AM
Mark Nottingham said:
Friday, August 27 2004 at 11:35 AM
Julian Reschke said:
Saturday, August 28 2004 at 4:28 AM
Rich Salz said:
Tuesday, August 31 2004 at 9:41 AM
Mark Nottingham said:
Tuesday, August 31 2004 at 10:09 AM
Mark Nottingham said:
Monday, September 6 2004 at 5:17 AM
Richard Padley said:
Tuesday, December 7 2004 at 2:16 AM
Asbjørn Ulsberg said:
Monday, October 30 2006 at 1:19 AM
mario said:
Saturday, March 17 2007 at 11:06 AM
sven said:
Friday, September 19 2008 at 7:05 AM