On Oct 21, 9:39 am, "Aaron Swartz" <[EMAIL PROTECTED]> wrote:
> (Although you have to wonder whether users might not be better served > by the more secure Digest authentication features built into HTTP, but > since just about every application on the Web uses cookies at this > point, that's probably a lost cause. There's some hope for improvement > in HTML5 (the next version of HTML) since they're-- oh, wait, they're > not fixing this. Hmm, well, I'll try suggesting it.[^w]) > > [^w]:http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-October/0167... It isn't a lost cause until you give it up. In a world of wi-fi I feel increasingly nervous about insecure session cookies. Download session-hijacking tools like "Hamster and Ferret" to see what I mean. In fact, I just wrote a digest authentication plug-in for web.py. The module is at http://www.autopond.com/digestauth.py and sample code using it is at http://www.autopond.com/authwall.py . A lot of smart people worked hard on creating the digest authentication standard. A lot of less-than-smart people at Microsoft screwed up its implementation in IE6. But that shouldn't stop us anymore. Modern browsers do it correctly. As for the biggest user- interface knock against digest authentication (which you mention on whatwg), you can use an AJAX call to the server to establish the authentication without ever confronting the poor confused user with an ugly "username/password" dialog box. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web.py" group. To post to this group, send email to webpy@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/webpy?hl=en -~----------~----~----~----~------~----~------~--~---
