ISSUE-13: Handling HTTP status 401 responses / User Agent Authentication Forms

handling-http-401-status

Handling HTTP status 401 responses / User Agent Authentication Forms

State:

CLOSED

Product:

HTML Principles/Requirements

Raised by:

Julian Reschke

Opened on:

2007-11-10

Description:

Handling HTTP status 401 responses / User Agent Authentication Forms

HTTP authentication is in little use in the public web. Most web sites use an HTML form (returned with status 200) and Cookies instead.

This causes quite some problems when the same HTTP resource is accessed both by interactive user agents (browsers) and other clients (web crawlers, download tools, non-HTML based applications using HTTP as application protocol, such as AtomPub or WebDAV). So, authentication should be decoupled from HTML forms so it can be used by non-HTML clients as well.

There are multiple reasons that led to the current situation:

1) The two authentication mechanisms defined in RFC2617 (basic and digest) aren't considered sufficient. This is a problem that whoever updates RFC2617 will have to consider (for now, likely an IETF activity).

2) Browsers do not display the text/html response body of a HTTP 401 response, instead, they just pop up a modal authentication dialog (until "cancel" is pressed).

3) Servers do not send a meaningful response body with the 401 status as browsers do not display it anyway.

HTML5 could help with issues 2) and 3) by defining a way for servers to indicate that the text/html content returned with the 401 status should be displayed to the user, allowing to use an embedded form to enter credentials, which then would be used by the browser for proper HTTP authentication.

There's an old W3C note discussing this: <http://www.w3.org/TR/1999/NOTE-authentform-19990203>.

Related discussion in the Mozilla Bugzilla: <https://bugzilla.mozilla.org/show_bug.cgi?id=271383>

Related Actions Items:

• ACTION-86 on Julian Reschke to Review Thomas Broyer's IETF ID to see if we can postpone ISSUE-13 - due 2009-08-27, closed

Related emails:

1. {minutes} HTML WG Telecon 2010-12-09: status of actions, calls, new decisions (from Paul.Cotton@microsoft.com on 2010-12-16)
2. Re: ISSUE-13: handling-http-401-status - suggest closing on 2009-08-20 (from mjs@apple.com on 2009-09-23)
3. minutes for 2009-09-03 telcon (from mike@w3.org on 2009-09-05)
4. Re: Agenda for HTML WG telcon 2009-08-20 - Accessibility TF, HTML5 Test Suite, etc (from john@jkemp.net on 2009-09-02)
5. Re: Agenda for HTML WG telcon 2009-08-20 - Accessibility TF, HTML5 Test Suite, etc (from mjs@apple.com on 2009-09-02)
6. Re: Agenda for HTML WG telcon 2009-08-20 - Accessibility TF, HTML5 Test Suite, etc (from julian.reschke@gmx.de on 2009-09-02)
7. Agenda for HTML WG telcon 2009-08-20 - Accessibility TF, HTML5 Test Suite, etc (from mjs@apple.com on 2009-09-01)
8. {minutes} HTML WG telcon 2009-08-27 (from annevk@opera.com on 2009-08-27)
9. {agenda} HTML WG telcon 2009-08-27 *PLEASE-READ* (from rubys@intertwingly.net on 2009-08-26)
10. Re: ISSUE-13: suggest closing (from t.broyer@ltgt.net on 2009-08-21)
11. Re: ISSUE-13: suggest closing (from julian.reschke@gmx.de on 2009-08-21)
12. Re: ISSUE-13: suggest closing (from john@jkemp.net on 2009-08-21)
13. Re: ISSUE-13: suggest closing (from julian.reschke@gmx.de on 2009-08-21)
14. State of HTML WG Unresolved Issues (from mjs@apple.com on 2009-08-20)
15. Issues closed (from mjs@apple.com on 2009-08-20)
16. Re: ISSUE-13: suggest closing (from john@jkemp.net on 2009-08-20)
17. Re: ISSUE-13: suggest closing (from julian.reschke@gmx.de on 2009-08-20)
18. {agenda} HTML WG telcon 2009-08-20 (from rubys@intertwingly.net on 2009-08-19)
19. Old issues - will be closed on 2009-08-20 if there are no objections (from mjs@apple.com on 2009-08-13)
20. ISSUE-13: handling-http-401-status - suggest closing on 2009-08-20 (from mjs@apple.com on 2009-08-13)
21. Regarding closing issues (from mjs@apple.com on 2009-08-11)
22. Re: ISSUE-13: suggest closing (from mjs@apple.com on 2009-08-11)
23. Re: ISSUE-13: suggest closing (from julian.reschke@gmx.de on 2009-08-11)
24. ISSUE-13: suggest closing (from mjs@apple.com on 2009-08-10)
25. Re: {agenda} HTML WG telcon 2009-07-23 (from singer@apple.com on 2009-07-22)
26. {agenda} HTML WG telcon 2009-07-23 (from rubys@intertwingly.net on 2009-07-22)
27. Input on the agenda (from ian@hixie.ch on 2009-06-22)
28. Re: {agenda} HTML WG telcon 2009-06-04 -- minutes enclosed (from singer@apple.com on 2009-06-04)
29. Re: {agenda} HTML WG telcon 2009-06-04 -- minutes enclosed (from singer@apple.com on 2009-06-04)
30. Input on the agenda (from ian@hixie.ch on 2009-06-01)
31. Input on the agenda (from ian@hixie.ch on 2009-03-16)
32. Input on the agenda (from ian@hixie.ch on 2009-03-09)
33. minutes: HTML WG telecon 2009-02-19 [draft] (from julian.reschke@gmx.de on 2009-02-19)
34. Re: about draft-broyer-http-cookie-auth (the Cookie Authentication Scheme) and ISSUE-13 (from t.broyer@ltgt.net on 2009-01-24)
35. minutes: HTML WG weekly telcon 22 Jan 2009 (from connolly@w3.org on 2009-01-23)
36. minutes: HTML Weekly Teleconference 08 Jan 2009 (from connolly@w3.org on 2009-01-16)
37. Re: OK to postpone ISSUE-13 handling-http-401-status (form authentication...)? (from t.broyer@ltgt.net on 2008-12-16)
38. OK to postpone ISSUE-13 handling-http-401-status (form authentication...)? (from connolly@w3.org on 2008-12-16)
39. {minutes} 2008-10-23 f2f meeting (day one) (from mike@w3.org on 2008-11-07)
40. ISSUE-13 (handling-http-401-status): Handling HTTP status 401 responses / User Agent Authentication Forms [HTML 5 spec] (from sysbot+tracker@w3.org on 2007-11-10)

Related notes:

Display change log