HTTP Authentication and Forms
Thursday, 26 August 2004
It’s no secret that HTTP authentication isn’t used as often as it should be. When I talk to Web developers, there are usually a few reasons for their use of cookies for authentication;
- HTTP authentication doesn’t provide any way to “log out” a user
- HTTP authentication doesn’t have a customizable login UI like that provided by HTML forms
- HTTP authentication doesn’t allow a login to span multiple domains like cookies
- HTTP authentication isn’t secure anyway
Those last two reasons can be solved by using HTTP Digest Authentication — which has been widely supported for quite some time — but the first two are fair criticisms.
I’ve been frustrated by this for a while, but the other day it occurred to me that we might have an opportunity to fix it in Web Forms, by coming up form controls or widgets to:
- remove a site’s authentication state from the browser when activated (i.e., a “log out” interface)
- add user data to a site’s authentication state in the browser (i.e., “log on” interfaces)
- display the user’s current authentication state
If the security-related aspects were handled carefully, I think this has a chance to reduce unnecessary use of cookies, improve security, accessibility and even cacheability, make things easier for automated Web agents, all in one go.
I’ve mentioned it to the WHAT WG. If this seems like a good idea, give them a nudge.