[Auth]simple logon proposal feedback

dotgnu-auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Auth]simple logon proposal feedback

From:	R. Saravanan
Subject:	[Auth]simple logon proposal feedback
Date:	Fri, 27 Jul 2001 08:45:16 -0700 (PDT)

>>The advantage of using an URI scheme is that
websites
>>do not need to define a new MIME type.

>I couldn't quite follow how this would work in
detail.
>Can you give an example of exactly what modification
>the web page designer has to make to an existing
>logon page, and spell out how the client software
>is going to be able to intercept that request in
>IE or Netscape?

Let us say the web site redirects the client software
to the following URL:
    x-dotgnu://localhost/<request-info>
the browser will invoke the installed x-dotgnu
protocol handler to handle the URL and will display
any content output by the protocol handler. The
protocol handler can then output a GET redirection
back to the website to authenticate the user. Protocol
handlers are fairly easy to implement for IE and
Mozilla. The only sticking point is that there is no
easy way to find out whether the client software
actually has the x-dotgnu protocol installed. Browsers
do not advertise the presence of additional installed
software, which is perhaps necessary for privacy
reasons.I can't think of any way of doing that without
using SCRIPT. The EMBED approach will not work with
protocol handlers. So defining a new MIME type is
perhaps the way to go, despite the inconvenience of
having to reconfigure web servers to handle the new
MIME type.


>>3. In addition to supporting plain text password
>>authentication (similar to the HTTP Basic
>>Authentication) the logon scheme should also support
>>the newer Digest-MD5 authentication, which uses a
>>challenge-response protocol without having to
>>transmit the plaintext password.

>Do Netscape and IE provide an defined mechanism for
>plugin software to intercept and respond to HTTP
>authentication challenges? This is a mechanism that,
>in practice, would require implicitly accessing the
>user's password for many pages at a given web
>site rather than just at a single logon page, right?

I'm not sure whether IE/Mozilla support digest
authentication yet. I suspect most web sites don't
support it at the current time either. You can check
out the RFC
http://community.roxen.com/developers/idocs/rfc/rfc2617.html
It is certainly something that should be supported in
new software (or protocols) in the interests of better
security.

Saravanan


__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

[Prev in Thread]

Current Thread

[Next in Thread]

[Auth]simple logon proposal feedback, Ron Burk, 2001/07/26
- [Auth]simple logon proposal feedback, R. Saravanan <=

Prev by Date: Re: [Auth]simplest logon design proposal
Next by Date: Re: [Auth]simplest logon design proposal
Previous by thread: [Auth]simple logon proposal feedback
Next by thread: [Auth]technical details
Index(es):
- Date
- Thread