Re: Customizing the authentication dialog

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Dave Kristol: "the state of State"
• Previous message: Paul Leach: "RE: This is not "this is not a date""
• Maybe in reply to: Eric_Houston/CAM/Lotus@lotus.com: "Customizing the authentication dialog"
• Next in thread: David W. Morris: "Re: Customizing the authentication dialog"
• Reply: David W. Morris: "Re: Customizing the authentication dialog"

Scott Lawrence wrote:
> 
> > Could the spec allow for customization of the authentication dialog?
> 
>   The only customization allowed for is the value of the realm, which
>   should be displayed to the user (if any) if challenging for the
>   credentials.  In thinking about customizing this, bear in mind that some
>   clients will not be browsers and will not have human users.

FWIW, ages ago I asked for (and was denied) the addition of a "prompt"
attribute, which would have been (one of) the thing the user saw in the
dialog box.  The argument against at the time was, I think, that such an
attribute could be used by a malicious server to fool the user into
giving credentials for a spoofed authentication domain.

Notwithstanding that valid criticism, I still think a "prompt" attribute
could be useful.  In one application I wrote, users have to register
before they can gain access to "protected" documents.  The project, and
hence the realm, is "SEPTEMBER".  But to remind users that they have to
register first, I had to make the HTTP realm attribute be "SEPTEMBER
(You must have registered)", so browsers would present that string, and
users would get the useful hint.

Dave Kristol

• Next message: Dave Kristol: "the state of State"
• Previous message: Paul Leach: "RE: This is not "this is not a date""
• Maybe in reply to: Eric_Houston/CAM/Lotus@lotus.com: "Customizing the authentication dialog"
• Next in thread: David W. Morris: "Re: Customizing the authentication dialog"
• Reply: David W. Morris: "Re: Customizing the authentication dialog"