On Thu, 25 Feb 2010 16:00:37 -0000, Timothy D. Morgan
<[email protected]> wrote:
As a follow up to my paper advocating HTTP authentication over
cookies [1], I've built a simple sample application which demonstrates
how a combination of XMLHttpRequest and response code tricks can be
used to achieve form-based login, logout, and authenticated password
changes in the four most popular browsers:
http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip
Note that this is achieved without using any checks to determine what
browser is being used.
While this is promising, I still think we should have an HTTP-based
log out mechanism. In addition, the proposed W3C change to
XMLHttpRequest authentication behavior will make this code much
simpler.
FIY a while ago I've implemented proof-of-concept as well, but by using
URLs with login/password:
http://geekhood.net/auth/
Those two approaches combined could offer solution with good user
experience and working non-JS fallback.
--
regards, Kornel LesiĆski
