why forms auth is a bad idea

2008-04-22 @ 11:19#

aside from the security complications of using an HTML FORM to collect authentication information and then storing that in a cookie, there's another reason that using form authentication is a bad idea - redirects.

while the typical browser agent can navigate redirects for authentication without problems and the typical user can deal with the context switch ("i asked for the home page and got this login screen instead!"), there is another class of user agents that don't deal with this well at all: automated agents. tools like CURL and WFetch (my favorite) are really handy for automating HTTP conversations (go get me the latest orders added to the system, run a report, and then show me the results, etc.). if you are using authentication that follows RFC2617 standards, these automated agents handle secured web applications just fine. if you are using non-standard (i.e. forms authentication with redirection), the things get really complicated. with forms auth, when a user requests a secured resource, instead of getting an HTTP 401 (Unauthorized), the agent is redirected to the login page with a 200 as the ultimate response. bummer

while the HTTP Auth implementations in common browsers is clunky visually, it is the only really sensible way to handle scalable and secure authentication for HTTP-based applications. until browsers come up with better ways to handle HTTP Auth we'll just have to get used to it.