news

My feeling is that no authentication mechanism is the best choice: SSL w/ client certificates is robust if done properly with keypair management (a big problem for most users and web sites, and nobody checks the little padlock), HTTP Simple Auth may be intuitive for end-users but it is not very practice due to the limitations shown by moe, FORM-based authentication is a ‘do-it-yourself’ (risks could be reasonably low, but the devil is in the implementation). HTTP Digest Auth is not widely supported in browsers and web servers (but only adds a bit of security to the HTTP Basic Auth). Probably one-time passwords (or variations, like the authentication matrix that some home banking sites provide), and biometry, are much more ’secure’, but I am dreaming here…

If you have a keylogger sniffing your keystrokes, no authentication scheme can help you, but this is a different problem.
At the end, in the web nobody knows I’m a dog!

Except that this one doesn’t hold true: it’s trivial to create a site-specific cookie-aware bot. For example in Python all you need to do is

–
import cookielib, urllib2
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookielib.CookieJar()))
–
You’re done, any URL you’ll open with `opener` will be able to store cookies in the cookiejar and retrieve them from it.

Anyone who’d want to automate data retrieval from your website can trivially do it, even if you’re using a cookie-based authentication scheme.

The only issue is with general purpose tools (such as feed readers) because they can’t automate finding the login/password names/inputs.

“The solutions presented here use only voodoo, so sacrifice your chickens and let’s go!”

I believe that your RSS Reader is the limiting factor. I have personally written several web crawlers that were able to login and accept a cookie for authentication.

“We’ve known they are used to track users and violate privacy.” This is not an issue with the technology. There is nothing in Cookies that allows people to “gather” information that they did not already have about you. This kind of FUD really chaps my hide. Until you are able to demonstrate, and I mean a working world-class application like Amazon, the same kind of personalization with at least the same level of security, don’t go whining about cookies.

Anyone can complain, few can offer solutions.

1. Browsers tend to offer “save login/password” checkboxes and users tend to “forget”
unchecking them which results in user passwords being permanently saved on
machines where they don’t belong.

2. Browsers remember the HTTP auth credentials at least until all browser windows
(not only the current one) are closed. Therefor…

3. It’s quite tricky to implement a “logout-button” and there is no clean way to do it.
The common hack is to assign each user a personal realm which is fugly and fragile,
to say the least.

4. HTTP Simple Auth sends your login/password in the clear *on every request*.
DIGEST auth is tricky to implement and is not supported by all browsers and especially
not by all feed readers etc.

The only way to preserve your sanity is to offer both. Have the regular cookie/rewrite sessions for your users. Additionally do support digest auth (with fallback to simple auth) for those
feed readers.