I just stumbled on this post at a site called Necronomicorp, proposing to create a better browser interface for HTTP authentication.
I won’t copy-paste his content, but the upshot is that popup HTTP authentication windows suck in terms of usability (and aesthetics), web browsers shouldn’t automatically throw an authentication window up when confronted with a 401, and that it should be possible to “log out.” The author proposes a friendlier, optional authentication sidebar browser plugin, which allows clearing of HTTP auth credentials before the session is ended.
The idea is good, but it doesn’t “fix” HTTP authentication — insofar as it has fundamental problems that are pretty obvious. Even digest authentication can be replayed, and credentials are sent with each request. That said, it’s a good approach to improving browser handling of authentication, and I’ll be curious to see an implementation.
Recent Comments