Re: [dwm] [OT] least sucking authentication for web?

From: Tuncer Ayaz <tuncer.ayaz_AT_gmail.com>
Date: Tue, 27 May 2008 11:41:45 +0200

On Tue, May 27, 2008 at 11:34 AM, Tuncer Ayaz <tuncer.ayaz_AT_gmail.com> wrote:
> On Tue, May 27, 2008 at 10:41 AM, Archie Elberling
> <archie_AT_codersoffortune.net> wrote:
>>
>> Ok, So I've been writing a c library to provide wiki-style markup decoding
>> (I dimly recall Anselm putting out a request for one ages ago - its not
>> markdown syntax though) and an accompanying lightweight cwiki that uses it.
>> (expect an announce soonish if anyone is interested).
>>
>> Anyway, I was looking at adding authentication to it, and I was wondering
>> what you guys thought about the options. The way I see it, there are three
>> approaches I could take:
>>
>> 1. basic authentication over ssl
>> + everything supports it
>> + easy to implement (the server handles it for us)
>> - requires ssl for any level of (password) security
>> - presents the user with a login box as soon as they visit the site even if
>> you allow anonymous reading
>>
>> 2. digest authentication
>> + can be used without ssl with reasonable security
>> + easy to implement ( appears as basic auth to the app )
>> - some browsers can't handle it ( mostly older versions, links and links2
>> can't either. elinks can though)
>> - presents the user with a login box as soon as they visit the site even if
>> you allow anonymous reading
>>
>> 3. custom login procedure with cookies/javascript to (effectively) simulate
>> digest authentication
>> + can be used without ssl with reasonable security
>> + the javascript required is probably (marginally) more widely supported
>> than digest auth
>> + only need to prompt for login when required.
>> - requires javascript (currently the app is pure html) for functionality
>> - will be (some) work to implement.
>>
>> I admit I'm leaning towards 1/2 but I was interested if any of you guys
>> have an opinion.
>>
>> Regards,
>> Archie
>>
>>
>
> I would choose #2 (Digest) as a better form of #1.
> Relying on just TLS without mutual authentication
> is not enough and therefore using Digest helps.

Of course all of that depends on the deployment
scenario.

Anyway, if you go with #3 and need the security
provided by digest auth you need to implement
it in JavaScript. I guess that's obvious :).
Received on Tue May 27 2008 - 11:41:46 UTC

This archive was generated by hypermail 2.2.0 : Sun Jul 13 2008 - 15:45:22 UTC