[cosmo-dev] Basic Auth is sooo 1996

[Travis Vachon]

On Nov 28, 2007, at 5:06 PM, Matthew Eernisse wrote:

> Responses below ...
>
> Travis Vachon wrote:
>>> I'm guessing other auth schemes like WSSE would still require a  
>>> plaintext equivalent of password to be kept somewhere on the  
>>> client, correct?
>>>
>> No, that's precisely what we're hoping to avoid.
>
> I did read that XML.com article back when I was playing with the  
> Pownce API -- from what I can see, you still have to keep the  
> password around somewhere to create the digest for each request,  
> right?
>

I actually haven't become familiar enough with WSSE to know if it will  
actually meet our needs, all I was thinking is that it is similar to  
what we are aiming for. Sorry for the confusion!


>>> I realize this is kind of tangential to the discussion, but it  
>>> occurs to me that we've been ignoring a pretty obvious and fairly  
>>> secure way to store those creds client-side, since JS gives us  
>>> real private vars with inner scope:
>> Our problem is preserving credentials between page loads (ie,  
>> remember credentials on login page and have them available in the  
>> pim/admin/account browser ui), so this doesn't do it.
>
> Oop, I'm a doof. Totally forgot that part of it. Yeah, even sticking  
> it into a temp cookie is pretty horrible.
>
> Maybe we could forget the redirect, and just load the entire PIM UI  
> in-place on the same page.

Yep, that would work, and provide us with essentially 0 PIM code  
loadtime. Of course, the login page load would increase a little, but  
not much beyond what it was at preview certainly. Of course, we'd need  
to do the same with the admin and account browser code, but it's not  
impossible. I'm not a huge fan of it because of the way it fights  
against the way the web works, but it certainly is on the list of  
options.

-Travis