On Wed, Sep 14, 2011 at 4:30 PM, Joshua Paine <jos...@letterblock.com>wrote:
> On 9/14/2011 4:22 PM, Ben Summers wrote: > >> HTTP basic authentication is widely supported in HTTP client >> libraries, and much less hassle to use than passing tokens around. >> > > The three major downsides with HTTP Basic Auth are: > > 1) No pretty login page > 2) No reliable way to logout in most browsers > 3) Requires sending the username and password over the wire > > 1 and 2 are irrelevant for a JSON API, and fossil's web ui already sends > the username and password in the clear over the wire unless you're using > HTTPS, so this is no greater risk, and it inherits the protection that an > HTTPS setup provides. > > I vote for HTTP Basic Auth, provided that someone can confirm the major > browser AJAX functions support it. > Note that Basic Auth is normally handled by the web server, not the client application. The web server checks the credentials and then sets the REMOTE_USER environment variable. Fossil honors the REMOTE_USER environment variable in CGI mode, so you can use Fossil with Basic Auth. But, it comes with all the downsides listed above, plus it means that the Admin/User page will no longer work for setting and changing passwords since the passwords are now stored in the web server, not in Fossil. One other thing: I don't think Basic Auth allows anything equivalent to the current "nobody" user or the "anonymous" user. If you don't have a valid login and password you cannot see anything at all. That would be downside #5, if I'm counting right.... > > (Curl and other libs certainly support it.) > > -- > Joshua Paine > LetterBlock: Web Applications Built With Joy > http://letterblock.com/ > 301-576-1920 > > ______________________________**_________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.**org <fossil-users@lists.fossil-scm.org> > http://lists.fossil-scm.org:**8080/cgi-bin/mailman/listinfo/**fossil-users<http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users> > -- D. Richard Hipp d...@sqlite.org
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
