Re: [hybi] WebSocket handshake (HTTP and SSO)
Hector Santos <hsantos@isdg.net> Mon, 30 August 2010 04:16 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 247F03A6927 for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 21:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.048
X-Spam-Level:
X-Spam-Status: No, score=-4.048 tagged_above=-999 required=5 tests=[AWL=-2.049, BAYES_00=-2.599, J_CHICKENPOX_63=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQlRaVjTp0m2 for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 21:16:04 -0700 (PDT)
Received: from mail3.winserver.com (mail3.winserver.com [208.247.131.15]) by core3.amsl.com (Postfix) with ESMTP id A61C83A6918 for <hybi@ietf.org>; Sun, 29 Aug 2010 21:16:03 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Mon, 30 Aug 2010 00:16:46 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 2759833671; Mon, 30 Aug 2010 00:16:44 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Mon, 30 Aug 2010 00:14:45 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3347931266; Mon, 30 Aug 2010 00:14:45 -0400
Message-ID: <4C7B309E.4050303@isdg.net>
Date: Mon, 30 Aug 2010 00:16:30 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: John Tamplin <jat@google.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com>
In-Reply-To: <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 04:16:05 -0000
John Tamplin wrote: > How many websites actually use HTTP Auth to protect the data? In my > experience, not many, because they want to control how the user logs > in and of limitations like not supporting logout. John, one really can't design protocols based on subjective opinions like this. HTTP AUTH is a standard and it should be expected it will be used regardless of the perceived numbers. I still see many sites use HTTP AUTH. Our system allows operators to use BASIC, DIGEST and cookie-based form logins and mixed depending on the user browser setting. BASIC was the original offering and there are still many customers using it, mostly combined combined with SSL. DIGEST was still optional so you didn't guarantee it and JS was still something that wasn't forced upon their users - for security reasons. Of course today, you see more JS logins and we push the more "acceptable" javascript based logins, but its not forced. Also, PCI requirements can caused many non-standard javascript login implementations to fail. DIGEST+SSL with NONCE support is acceptable for PCI compliance. Also, you can have a logout box even with BASIC/DIGEST by combining it with a session cookie. Issuing a 403, combining with a 401 again when the session cookie is not there, will invalidate the credentials in most, if not all the browsers tested over the years. Only when the user has cookies off, do we redirect them to a "CLOSE YOUR BROWSER" page. > Anyway, this strikes me as something to go over in detail when we are > further down the road from where we are. I think we need to finish up > the framing and get basic agreement on how the handshake should look, > and then we can take up how to get credentials to a WebSocket server. +1, and when we get there, IMV a key design question will be if a 401 will trigger a HTTP AUTH browser popup or whether the websocket class should have a OnAuth() event where perhaps the JS can do a redirect to a login page. For that matter, offer the main "page change flow" events: OnAuth() triggered by 401 OnRedirect() triggered by 302 -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com
- [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Eric Rescorla
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Joe Hildebrand
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Gabriel Montenegro
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Willy Tarreau
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins