[Cosmo-dev] CMP and AJAX
mde at osafoundation.org
Tue Sep 19 21:54:15 PDT 2006
Nice work on the Ajax/CMP. Some feedback:
Option 1 - Regular browser based Basic Authentication at login time
Some cursory tests with Apache2 and basic auth show that the optional
username and password params for XHR work as expected in all the
browsers we support (Firefox 1.x, IE6, and Safari 2.x). They behave
exactly as if the user had filled in the username and password in the
normal auth popup box -- which means the credentials cache, and there's
no clean way for the user to log out.
To avoid the annoying pop-up if the user gets the auth info wrong, we
could in theory first authenticate with a regular XHR/form POST just to
confirm their credentials, and then once the user is confirmed, do all
subsequent requests with those verified credentials using basic auth
To me the real deal breaker on this one is the inability to allow the
user to log out of the app without throwing up an auth dialog. I don't
think we want users playing whack-a-mole with that silly popup. And that
dialog box does indeed look like ass.
Option 2 - Manually do Basic Authentication for every CMP request
Manually setting the Authorization header with XHR seems to work great
in all our supported browsers (miraculously, even in Safari). I was
testing with my own XHR library, but Dojo's io.bind lets you do the same
thing easily by setting headers in kwArgs["headers"].
You get no irritating authentication dialog box, and the browser doesn't
cache the credentials, so logging out of the app isn't a problem. This
seems like the nicest solution if we can get over the security hurdles.
It does seem like you'd have to have the password sitting somewhere on
the client to do this with basic auth. It could be just a JS variable,
and you could even just save the base64-encoded 'username:password'
string, so it's not human-readable, but that's likely not sufficient. We
could probably do some other stuff too to make it pretty irritating to
try to retrieve, but in the end anyone with access to a JS shell and
knowledge of the source code could grab someone's password if the person
left themselves logged in.
Good work on this.
Travis Vachon wrote:
> I've put together a wiki page summarizing the problem as I see it.
More information about the cosmo-dev