]OT] http-authorization:
Don Russell
fedora at drussell.dnsalias.com
Thu Dec 1 19:08:00 UTC 2005
On 12/1/2005 10:51 AM, Les Mikesell wrote:
> On Thu, 2005-12-01 at 12:32, Don Russell wrote:
>
>
>>I have a web appl that uses status code 401 (authorization required) to
>>challenge the user for an id/password. The client then responds with the
>>http-authorization header etc. All is well.
>>
>>But, I want to make a more 'friendly' log on page:
>>So, my server sends a page with status 200 (OK) with a simple form with
>>two fields: userid/password. (The rest of the page content is the
>>friendly fluff, not relevant to my problem)
>
>
> Usually the way this is done is to turn off basic authentication
> and use something cookie-based instead. You can probably find
> a routine in whatever server scripting language you prefer
> to handle the login and checking if you don't want to write
> your own. A side effect is that you can add a 'logout' button
> to delete the cookie where the only way to get rid of basic
> authentication is to shut down the browser.
OK... thank you... that idea occurred to me, but it seems less secure.
It seems like such a simple need: a way to tell the browser, "Here, use
this page to prompt for the userid and password".
It's too bad that by providing a "splash page" to log on from, that
reduces the overall security of the site.. maybe I'm missing something. :-)
Don
More information about the fedora-list
mailing list