[Proposal] Use cookies with HTTP auth

SoniEx2 · August 25, 2020, 6:30pm

When doing HTTP auth, just use cookies tbh.

There’s no good reason to keep sending the user’s plaintext password with literally every request. The benefit of HTTP auth is that you can use non-plaintext methods like challenge-response, but we ditched those with the move to TLS. As such there’s literally no benefit to HTTP auth nowadays, other than being unable to save passwords/integrate with password managers. If you can call that a benefit.

and if you’re wondering why I haven’t joined the group (the one on w3.org), blame this.

awwright · August 27, 2020, 6:03pm

Who is this a proposal for?

Aren’t cookies less secure?

SoniEx2 · August 27, 2020, 6:24pm

what’s less secure: sending a plaintext password on every request to a compromised server, or sending a CSPRNG-generated access token?

awwright · August 27, 2020, 7:55pm

@SoniEx2 There’s other authentication methods that allows the client to send a value computed from a limited-duration access token and a nonce. You can’t do anything like that with cookies.

But, who is this a proposal for?

SoniEx2 · August 27, 2020, 8:08pm

servers and browsers. servers so they set cookies, browsers so they do the password auth once.

collimarco · February 24, 2021, 2:09pm

You forgot all the REST APIs… It’s still useful for stateless requests.

SoniEx2 · February 24, 2021, 3:36pm

Craft your own cookies. Or just send the whole thing in the request body.

Same level of security as HTTP auth, really.