Cookieless authentication (part 2)


So now I have change my requirements, a true logout mechanism must have some conditions and priorities (personal opinion):

  1. Accessibility
  2. Cross Platform
  3. Header Based Authentication, no cookies
  4. Independent of the authentication mechanism

1.- Recently I have been paying much more attention to the web pages I create. The approach I use now is the Hijax: think about using AJAX, create your pages as javascript is disabled, then add the Javascript for the fun stuff. With this
approach you are making sure your web pages are always looking good even if Javascript is disabled. Of course, there will be some situations where you can assume that Javascript is required by that can be managed on a case basis. Currently my approach to perform the
logout mechanism suffers horribly in this requirement, so, this is one of the aspects I need to work to improve my login/logout mechanism. I haven’t done the tests yet, but my feeling is that I will have 2 layers of logout: one at the client side (using some Javascript) and
the other at the server side.

2.- When I am at work or home I usually use Firefox; when I am programming something I test it on Firefox and Internet Explorer 6 & 7. Recently I have been doing some work with a friend (Carlos) and I realized that my mechanism for logout doesn’t work for Safari. So my mechanism is just partial and not robust enough. But how I am handling this situation right now? Well, I have to admit, I still use my script for logout and it does its job for IE & Firefox (version 2 sometimes doesn’t work) but I am also using a session handler via php (yes, it is a cookie!) for the cases of the other browser (Opera, Safari, etc). In the next part I will be posting my current configuration. So, this is another requirement that is not satisfy by my logout script.

3.- As Berend de Boer mentioned in his article, cookies should not be used for authentication. Yeah! this is really controversial and each one will have different opinions; you even will say “hey! you are using wordpress which handles sessions by cookies, so?”; sure, I have nothing against using cookies, is just that I am working on a solution that relies on the header for authentication rather than on the cookies. At the end, it depends on what you want to implement.

4.- I believe the login/logout mechanism should be flexible enough to support different authentication mechanisms. For this item you should keep in mind that your desired clients (browsers) should support the authentication mechanism you want to implement; not all of them are implemented in all the browsers. For example, if I recall correctly, the Digest Authentication mechanism does not work with Pocket Internet Explorer, so another mechanism needs to be used (Basic works for sure). Then, you need to check if your server supports the mechanism that you want to implement; if is not supported then you might need to implement it yourself.

Personally I implement solutions using Apache Digest authentication with php on the server side. I even had to code the Digest authentication to support old Apache servers (especially version 1.3). Currently it works with Opera, IE, FF, Safari; but as I mentioned before, the trick is coming from the session handler. I might setup a new area for the purposes of testing to any one.

So, this is my current status. My next steps are to adjust my authentication mechanism to reflect my new requirements. In the meanwhile I have to accept that in order to get some of them working (cross-platform) I had to give up in others (header-based). But, since
I have more clearly identify my needs and requirements I can safely say that my solution will be a “a cookie-less PHP-based login/logout mechanism for the Digest Authentication module”

Thank you for reading this post. You can now Read Comments (2) or Leave A Trackback.

2 Responses to “Cookieless authentication (part 2)

  • 1
    May 6th, 2008 03:39

    I’m trying to use the REST solution logout and login to allow a private realm

    I have apache 2.2.4 and kubuntu 7.10

    We protect a directory /private with .htaccess

    Inside of /private we have another directory /privateA with a file index.php

    We have 2 users in .htpasswd (“test1” and “test2”)

    I want that to /private can be accessed by any user

    To /private/privateA I only want can be accessed by “test1”

    In /private we have:

    ErrorDocument 401 /accessDenied.php
    AuthType Basic
    AuthName “private”
    AuthUserFile “.htpasswd”
    Require valid-user

    and in /private/privateA
    Require user test1
    ErrorDocument 401 /accessDenied.php

    The problem is that when I acccess with “test2” and write the url, the user credential are deleted
    and a pop-up window is promt. If I cancel this pop-up, goes to ErrorDocument
    401. But I’m not registed because there are not user credentials.

    If I access to, goes to ErrorDocument
    directly and don’t delete the user credential

    /accessDenied.php is in rootdocument (/var/www/html) and my protected
    directory is in /var/www/html/private and /var/www/html/private/privateA.

    The file /var/www/html/private/privateA/index.php doesn’t have to access to
    any file (css, img, js, etc), only:


    Then, why I lost my user credential if I access
    to /var/www/html/private/privateA/index.php and I don’t lost it if I access
    to /var/www/html/private/privateA directory??

    Thank you very much



  • 2
    December 28th, 2009 19:19

    Couldn’t be written any better. Reading this post reminds me of my old room mate! He always kept talking about this. I will forward this article to him. Pretty sure he will have a good read. Thanks for sharing! My blog

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.