lightweight approach to WebApp HTTP authentication (the one that automatically pops up a login box) - the username and password are encoded, but in a way (base64) that is brainless to decode, so it doesn't offer any real Secur Ity.

• though I suppose you could do Basic Authentication over SSL. But then every page would have to use SSL. Unless you issue an (encrypted) DoMain-wide Web Cookie.

• http://www.w3.org/Protocols/HTTP/1.0/spec.html#BasicAA

• http://ejk.cso.uiuc.edu/ishs/2-4.html

the id/pw is re-submitted with every request to that domain/host/port (realm?) until the browser quits.

• There is no "logout" function possible

• if you want to run multiple servers on different ports/hosts, that id can't follow along

• you don't have a pretty login form to provide context around the fields themselves

The problem with non-Basic Authentication models of WebApp login:

• there's no real standard of how to "do it" (patterns of user interface, or data management)

• so automated tools (e.g. Rss Aggregator) can't log in (or am I wrong?)

• note there is some agreement on the XmlRpc model

You probably want to support both models together. But I don't think this can be done all that smoothly...

User Options Recent Changes Help Page