Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Do you mean basic & digest http auth built into the browsers? If so, yes, they are bad. The issue is you cannot reliably implement log off on all browsers.


Is this still true, for any browser that is still used? It seems a couple of decades would be long enough to get this right...


Still true when I tested last year. The core protocol does not have a defined way to get the browser to forget the login.

You have to resort to different fudges on different browser.

Net/Net: the http auth ui sucks, has bad usability, weak crypto, and is not robust with logout.

HTML/form based auth can be made robust and is a preferable alternative in every case.


I'm taking about using the 'Authentication: ' headers, not relying on the browser's handling of auth (other than making the requests).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: