[dwm] [OT] least sucking authentication for web?

From: Archie Elberling <archie_AT_codersoffortune.net>
Date: Tue, 27 May 2008 09:41:23 +0100

Ok, So I've been writing a c library to provide wiki-style markup decoding
(I dimly recall Anselm putting out a request for one ages ago - its not
markdown syntax though) and an accompanying lightweight cwiki that uses it.
(expect an announce soonish if anyone is interested).

Anyway, I was looking at adding authentication to it, and I was wondering
what you guys thought about the options. The way I see it, there are three
approaches I could take:

1. basic authentication over ssl
+ everything supports it
+ easy to implement (the server handles it for us)
- requires ssl for any level of (password) security
- presents the user with a login box as soon as they visit the site even if
you allow anonymous reading

2. digest authentication
+ can be used without ssl with reasonable security
+ easy to implement ( appears as basic auth to the app )
- some browsers can't handle it ( mostly older versions, links and links2
can't either. elinks can though)
- presents the user with a login box as soon as they visit the site even if
you allow anonymous reading

3. custom login procedure with cookies/javascript to (effectively) simulate
digest authentication
+ can be used without ssl with reasonable security
+ the javascript required is probably (marginally) more widely supported
than digest auth
+ only need to prompt for login when required.
- requires javascript (currently the app is pure html) for functionality
- will be (some) work to implement.

I admit I'm leaning towards 1/2 but I was interested if any of you guys
have an opinion.

Regards,
Archie
Received on Tue May 27 2008 - 10:42:28 UTC

This archive was generated by hypermail 2.2.0 : Sun Jul 13 2008 - 15:45:17 UTC