[Cosmo-dev] CMP and AJAX

Matthew Eernisse mde at osafoundation.org
Tue Sep 19 21:54:15 PDT 2006 

Travis,

Nice work on the Ajax/CMP. Some feedback:

Option 1 - Regular browser based Basic Authentication at login time

Some cursory tests with Apache2 and basic auth show that the optional 
username and password params for XHR work as expected in all the 
browsers we support (Firefox 1.x, IE6, and Safari 2.x). They behave 
exactly as if the user had filled in the username and password in the 
normal auth popup box -- which means the credentials cache, and there's 
no clean way for the user to log out.

To avoid the annoying pop-up if the user gets the auth info wrong, we 
could in theory first authenticate with a regular XHR/form POST just to 
confirm their credentials, and then once the user is confirmed, do all 
subsequent requests with those verified credentials using basic auth 
through XHR.

To me the real deal breaker on this one is the inability to allow the 
user to log out of the app without throwing up an auth dialog. I don't 
think we want users playing whack-a-mole with that silly popup. And that 
dialog box does indeed look like ass.

Option 2 - Manually do Basic Authentication for every CMP request

Manually setting the Authorization header with XHR seems to work great 
in all our supported browsers (miraculously, even in Safari). I was 
testing with my own XHR library, but Dojo's io.bind lets you do the same 
thing easily by setting headers in kwArgs["headers"].

You get no irritating authentication dialog box, and the browser doesn't 
cache the credentials, so logging out of the app isn't a problem. This 
seems like the nicest solution if we can get over the security hurdles.

It does seem like you'd have to have the password sitting somewhere on 
the client to do this with basic auth. It could be just a JS variable, 
and you could even just save the base64-encoded 'username:password' 
string, so it's not human-readable, but that's likely not sufficient. We 
could probably do some other stuff too to make it pretty irritating to 
try to retrieve, but in the end anyone with access to a JS shell and 
knowledge of the source code could grab someone's password if the person 
left themselves logged in.

Good work on this.


Matthew


Travis Vachon wrote:
> I've put together a wiki page summarizing the problem as I see it.
> 
> http://wiki.osafoundation.org/bin/view/Journal/AjaxCMPAuthentication09192006

More information about the cosmo-dev mailing list