I want to bounce an idea around. I have been building web services and web applications for over a decade now, and have more recently been focusing on providing as RESTful a service as possible (eg. using the same URI for both browsers and API clients, but having them modify accept: to decide if to send XML or XHTML).
One big sticking point with using web browsers with RESTful services has been keeping track of user state on private methods. The best way to go about it is for the client to provide HTTP auth token, but not many customers or users like being prompted by a HTTP auth box in their browser, especially when they are used to web-form based login.
HTTP auth also has other issues such as poor expiry support, but in other areas is a lot better than cookie sessions.
My idea is to allow web forms to submit HTTP auth information, by doing the following:
- Provide 2 new HTML input form types, namely type='username' and type='auth'
- When these types are included in a form, the browser will send the values along with the request to the form URI as an HTTP authentication field rather than as POST or GET values.
This can mean that we can have both RESTful user authentication, but without the standard browser login boxes. I have prototyped a dirty Firefox plugin that sort of does this, but currently only supporting BASIC auth (it would eventually work with Digest).
The problem that I can see is if this idea works well, having it standardized and ratified so that all browsers support it along with the standard ugly boxes.
Anybody have any feedback on this idea, or know of any similar effort?
I have an upcoming project that is an intranet and I am almost tempted to finish the plugin (along with client SSL cert support) and use it there as a test.
I couldn't find anything similar, other than a couple of small projects where developers were using Javascript to read in username and password from a form and then using them as the http auth token in an XMLHTTPRequest
Further - Next Steps
After a bunch of research on this, I have decided to take the 1999 template as the basis for a new proposal to submit to the WHATWG for HTML5. The main focal points should be:
- RESTful
- User friendly
- Secure (ie. support Digest, not basic)
- Backwards compatible (ie. wont break previous version)
- Complete prototype
- Solicit more feedback
If anybody else (thanks for the pointers Julian) has anything to add in terms of comments or feedback or any other consideration, please let me know. Once I have this lined up I will blog about it.
Stackoverflow may be a good venue for these types of ideas and proposals..
Stackoverflow Question
How can I bring more attention to this here on Stackoverflow - do most people browse with tags?