Tuesday, December 2nd, 2008

HTML 5: Integrating HTTP authentication with HTML forms

Category: HTML, Standards

<p>Mark Pilgrim has a new This Week in HTML 5 that features a bit new proposal for integrating HTTP authentication with HTML forms.

A common use for forms is user authentication. To indicate that
an HTTP URL requires authentication through such a form
before use, the HTTP 401 response code with a WWW-Authenticate challenge “HTML” may be used.

For this authentication scheme, the framework defined in RFC2617
is used as follows. [RFC2617]

challenge = "HTML" [ form ]

form      = "form" "=" form-name 
form-name = quoted-string

The form parameter, if
present, indicates that the first form element in the
entity body whose name is the
specified string, in tree order, if any, is the login
form. If the parameter is omitted, then the first form
element in the entity body, in tree order, if any, is
the login form.

There is no credentials production for this
scheme because the login information is to be sent as a normal form
submission and not using the Authorization
HTTP header.

Mark then goes on to say:

This idea has been kicked around for more than a decade. Microsoft wrote User Agent Authentication Forms in 1999. Mark Nottingham asked the WHATWG to investigate the idea in 2004. Better late than never, Ian Hickson summarizes the feedback to date. No doubt this new proposal will generate further discussion. No browsers currently support this proposal.

The idea makes total sense to me. The old HTTP BASIC style of authentication is a dying bread due to the annoying popup style and implementation. It needs a shake up, don’t you think?

Related Content:

2 Comments »

Comments feed TrackBack URI

Aside from the digest authentication stuff, this doesn’t really offer anything to web authors. The rest of it falls under the category of semantic web. Knowing that certain content requires authentication would make it easier for Google to crawl and categorize the web, but in no way easier for web authors to secure a web site. Also none of those proposals explicitly mention multi-step logins, and while nothing I read in them precludes that, I can imagine broken implementations of this assuming and only allowing single-step logins with only username / password semantics.

Comment by JonathanLeech — December 2, 2008

Please please don’t require HTTP implementations to understand HTML. You’d be forcing a good spec (HTTP) to depend on a bad one (HTML).

There are much simpler solutions to this problem if you’re already planning to ask browser-makers to change their ways.

Comment by trav1m — December 3, 2008

Leave a comment

You must be logged in to post a comment.