[cosmo-dev] Basic Auth is sooo 1996

Travis Vachon travis at osafoundation.org
Wed Nov 28 12:24:22 PST 2007 

On Nov 28, 2007, at 10:58 AM, Matthew Eernisse wrote:

> Travis,
>
> Thanks for keeping the overall auth/security thing on your radar as  
> well as you're trudging through all this encoding stuff.
>
> Travis Vachon wrote:
>> 1) Make the tweak to our client side base64 encoding algorithm to  
>> get this working in our application
>> 2) I think this provides yet another reason we should look into  
>> alternate authentication mechanisms a la WSSE (http://www.xml.com/pub/a/2003/12/17/dive.html 
>> ) or Google's authentication scheme. The first step I'd like to  
>> take in this vein is to read some of the archives of the ietf-http- 
>> auth mailing list to come up to speed on http authentication  
>> proposals and report back here.
>
> +1 on the idea of doing what tweaks we can to what we have now if  
> it's easy to do.
>
> I'm guessing other auth schemes like WSSE would still require a  
> plaintext equivalent of password to be kept somewhere on the client,  
> correct?
>

No, that's precisely what we're hoping to avoid.

> I realize this is kind of tangential to the discussion, but it  
> occurs to me that we've been ignoring a pretty obvious and fairly  
> secure way to store those creds client-side, since JS gives us real  
> private vars with inner scope:

Our problem is preserving credentials between page loads (ie, remember  
credentials on login page and have them available in the pim/admin/ 
account browser ui), so this doesn't do it.

One option we'd talked about in the past is storing un/pw in a cookie  
only between page loads, deleting the cookie onpageload and storing it  
again onpageunload. I'm not a big fan of this approach because:

a) it's fragile and fairly tricky to implement
b) it only solves our problem while the user is looking at the page,  
leaving the password hanging around in a cookie all other times

YMMV, but to me the small security gain (b) isn't worth the cost of  
implementation (a) if we already plan to come up with a real solution  
soon.

-Travis

More information about the cosmo-dev mailing list