14 Jun 2005 tnt   » (Master)

HTTP Authentication... the forgotten paradigm
When I first really started developing sophisticated web sites, I immediately found that I needed to create user authentication systems. Users needed to be able to "login" and "logout" of the site.

The immediate answer to this, at first, seemed to be to use HTTP authentication -- RFC 2617. However, there is one glaring problem with using HTTP authentication. None of the web browsers (that I know of) provide you with a way to "logout".

Web Browsers need to fix this "usability" problem they have with their use of HTTP Authentication. Although I think "fixing" this should probably be a 2 step progress. I suggest that they first do a "quick fix" and then do a "proper fix".

The "quick fix" is to make it so web browsers provided some method -- a button or something -- that the user can use to "clear" the HTTP Authentication info. (The browser should also communicate to the user, through the user interface, when they are "logged in". I.e., when the browser has and is sending HTTP Authentication info for that site.) Of course, this isn't optimal, which is where the "proper fix" comes into play.

The "proper fix" is a little more involved. What really needs to happen is there needs to be a standard "hand shake" between the client and the server, that tells the server when the client it logging out. Something along the lines of:

  1. The client sends a "log me out" message to the server.
  2. The server receives the "log me out" message and "cleans up".
  3. The server sends a "you are logged out" message to the client.
  4. The client receives the "you are logged out" message, and "clears" the "HTTP Authenication" data.
Also, with the "proper fix" there needs to be a way to let the web developer put the "logout" button inside of his web pages (or web applications). The web developer should be able to check, via JavaScript, whether the browser has "HTTP Authentication" info or not. And the web developer should be able to initiate the "logout" "hand shake" via JavaScript.

And while we're at it, the "proper fix" should let the web developer control the "login" as well. Letting them create and use their own "login" window (or whatever). And let them do it via JavaScript.


HTML 5's Canavas
I've been looking at the coming HTML 5 <canvas> tag. This is something that has been long coming to HTML. (I've wanted something like this for a long time. Even when doing XUL development, I wanted something like this.)

(BTW, the HTML 5 standard isn't defined yet. This is something that is coming. However, it is already implemented in Mozilla-based browsers like FireFox and Apple's Safari.)

For those that don't know, there is a new tag coming to HTML 5 -- the <canvas> tag. What it does it allow you to "draw" pixmap images using JavaScript (using an "immediate mode" API). So you do stuff like:


<html>

<head> <title>HTML 5 Canvas Example</title> <script type="application/x-javascript">

function drawit() { var c = document.getElementById('the-canvas').getContext('2d');

// Draw the image... }

</script> </head>

<body onload="drawit();">

<canvas id="the-canvas" width="640" height="480"> Your browser does not support the HTML 5 canvas. Upgrade now. Do it!... DO IT!

You could also use this space, inside the "canvas" tag, to put in something like an "img" tag, so that you have a graceful fallback. </canvas>

</body>

</html>

You can even get a "data URL" from this canvas, after you've drawn to it. (See RFC 2397 if you don't know what a "data URL".) So, you can "save" your drawings! (Possibly by uploading them to the server.)

I don't think Flash would have ever had a chance if we'd had this back in the day. But Flash has traction among artists and designers, so we're probably going to have a battle on our hands. To be honest though, I think public standards are going to win.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!