Using Basic Authentication via with AJAX to access CMP

Problem

We need to use HTTP Basic Authentication on CMP requests. Generally, Basic Authentication is handled by the browser with the authentication popup. This is not acceptable for us because

1. We already have a form/session based login system.
2. The popup is wicked ugly, and doesn't feel very AJAX-y. Also, the specific behavior of browser based Basic Authentication varies from platform to platform (ie, Opera doesn't support doing Basic Authentication in XMLHTTPRequests (<1>).

Option 1 - Regular browser based Basic Authentication at login time

• When doing form based login, also do a regular browser-based Basic Authentication automatically (ie, pass a username and password to the request object).
• Subsequent requests should be given Basic Authentication information automatically by the browser.

Pros:

• Basic Authentication internals are handled by the browser
• Could probably be upgraded easily to Digest Authentication in browsers that support it

Cons:

• "Logging out" of browser handled Basic Authentication is tricky at best, see <1> ("User should be able to log off")
• If user information is incorrect, browsers will automatically show popup authentication dialog, and users will be forced to authenticate twice. Unless there is a way to suppress this popup dialog (I haven't been able to find an indication that there is) this seems like a serious deal killer.
• I believe Safari and Opera do not support this in XMLHTTPRequest objects. This also seems like a deal killer.

<1> describes a number of techniques that could make this work. The problem of the dialog box popping up on bad credentials and in a couple other situations still appears to be present in the solutions presented there.

I think the bottom line with this solution is that if we go for it, we'll need to be ok with the dialog box popping up sometimes.

Option 2 - Manually do Basic Authentication for every CMP request

• When we need to do a CMP request that will require authentication, manually set the Authorization header based on the current user.
• This is kind of neat. It should work cross platform, and, at least on firefox, the header isn't noticed by the browser, so the authentication popup dialog doesn't enter the picture.
• The big problem is that we need to have the username and password on the client side. This will involve either persisting the username and password on the client side between requests, or getting the username and password from the server when we need them.
• It may help to implement digest authentication. I'm going to learn about that today, and figure out if it will help.

Pros:

• Lots of control over exactly when authentication happens, and how authentication information is gotten.
• A corollary to this is that the authentication popup won't get involved in the process.
• A nice library that does this stuff automatically would probably be useful to other people, and could enable a fully sessionless ui.

Cons:

• There are security concerns, not all of which I've wrapped my head around.
  • Cacheing username and password locally (in a cookie, for example) would necessarily (I believe) leave the password exposed.
  • Sending username and password from server to client puts the password over the wire. SSL would help, as might Digest. This would still probably leave the password exposed on the client side at some point (ie, as a javascript variable).
• Untested solution. As far as I can tell (from a simple google search) there aren't many solutions that manually build and use Authorization headers. Most of the time, this stuff is done by the browser.

<1> http://www.berenddeboer.net/rest/authentication.html

-- TravisVachon - 19 Sep 2006