Hacker News new | ask | show | jobs
by aeronautic 3315 days ago
Do you mean basic & digest http auth built into the browsers? If so, yes, they are bad. The issue is you cannot reliably implement log off on all browsers.
2 comments
jessaustin 3315 days ago
Is this still true, for any browser that is still used? It seems a couple of decades would be long enough to get this right...
link
aeronautic 3315 days ago
Still true when I tested last year. The core protocol does not have a defined way to get the browser to forget the login.

You have to resort to different fudges on different browser.

Net/Net: the http auth ui sucks, has bad usability, weak crypto, and is not robust with logout.

HTML/form based auth can be made robust and is a preferable alternative in every case.

link
pyre 3315 days ago
I'm taking about using the 'Authentication: ' headers, not relying on the browser's handling of auth (other than making the requests).
link