On Tue, May 27, 2008 at 10:41 AM, Archie Elberling
<archie_AT_codersoffortune.net> wrote:
>
> Ok, So I've been writing a c library to provide wiki-style markup decoding
> (I dimly recall Anselm putting out a request for one ages ago - its not
> markdown syntax though) and an accompanying lightweight cwiki that uses it.
> (expect an announce soonish if anyone is interested).
>
> Anyway, I was looking at adding authentication to it, and I was wondering
> what you guys thought about the options. The way I see it, there are three
> approaches I could take:
>
> 1. basic authentication over ssl
> + everything supports it
> + easy to implement (the server handles it for us)
> - requires ssl for any level of (password) security
> - presents the user with a login box as soon as they visit the site even if
> you allow anonymous reading
>
> 2. digest authentication
> + can be used without ssl with reasonable security
> + easy to implement ( appears as basic auth to the app )
> - some browsers can't handle it ( mostly older versions, links and links2
> can't either. elinks can though)
> - presents the user with a login box as soon as they visit the site even if
> you allow anonymous reading
>
> 3. custom login procedure with cookies/javascript to (effectively) simulate
> digest authentication
> + can be used without ssl with reasonable security
> + the javascript required is probably (marginally) more widely supported
> than digest auth
> + only need to prompt for login when required.
> - requires javascript (currently the app is pure html) for functionality
> - will be (some) work to implement.
>
> I admit I'm leaning towards 1/2 but I was interested if any of you guys
> have an opinion.
>
> Regards,
> Archie
>
>
I would choose #2 (Digest) as a better form of #1.
Relying on just TLS without mutual authentication
is not enough and therefore using Digest helps.
Received on Tue May 27 2008 - 11:34:21 UTC
This archive was generated by hypermail 2.2.0 : Sun Jul 13 2008 - 15:45:20 UTC