undefined | Better HN

0 pointsmjw15y ago0 comments

For sure. Hence the need for browser vendors to provide hooks - via new HTML5 form attributes, a Javascript API, or ideally both, to enable us to develop our own, usable HTML-based session login and logout forms with HTTP auth.

0 comments

tiles15y ago

This is incredibly necessary for HTTP authentication to be useful, and bizarrely, has been given little to no attention over the years. There's a proposal for HTTP authentication in HTML dating all the way back to 1999:

http://www.w3.org/TR/NOTE-authentform

With only some complex Javascript hacks making it a possible solution:

http://www.peej.co.uk/articles/http-auth-with-html-forms.htm...

Also, HTTP authentication is a benefit to RESTful service design. Cookies have always been the wrong solution to this problem, having all web services to move to HTTPS feels like missing the point.

pornel15y ago

It's all been discussed by WHATWG/W3C and the conclusion was that cookies have too large momentum, Digest is not secure enough, and everyone should be using HTTPS.

http://www.w3.org/html/wg/tracker/issues/13?changelog

http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-Nov...

Digest is vulnerable to MITM attacks. It's only secure against passive sniffing, but if you can sniff, you usually can also modify response, spoof DNS/ARP/base station. If everyone switched to Digest, it would be only a matter of time when someone writes Digest-stripping Firesheep2.

j / k navigate · click thread line to collapse