| Comments: |
Right but noone ever made basic auth programmable, right? Well, except for embedding a password in the URL, and that always gives me a kind of nervous tick. I'd love to use basic auth more, but I think it needs a little coding love first on the browser side and I think many other webmasters might agree.
![[User Picture]](http://p-userpic.livejournal.com/20212195/3256134) | From: ![[info]](http://p-stat.livejournal.com/img/userinfo.gif) zetawoof
Thu, 1-May-2008 7:49 AM (UTC)
Reasons HTTP authentication sucks | (Link)
|
- There's no way to force a logout
- Basic sends your password in plain text (well, base64, but that's practically plain text), and the fancier schemes still aren't well-supported
- There's no way to customize the login UI
- Some mobile browsers don't support HTTP authentication at all, because nobody uses it
Agreed. There's no excuse for that crap. I'm working on a flash app right now (or rather, the backend for it) and we're configuring it to work better with remembering your password and auto-logging you in. If we can do it with a flash app, there's no excuse for less complicated pages.
As with any other human-made feature it had both negative and postitive effects. For example your cookies can be used by federal agents against you:)
Duh. As we all know, we should use all-natural features, which the feds can't use against us.
I went to chase.com to pay my credit card bill this evening. The cycle for the last year or so has been this:
1. Go to chase.com, notice that the username is not pre-filled.
2. Enter my username and password, check "remember my username", never actually expecting that to work the next month. Log in.
3. Get "Hey, we don't recognize your computer!" (Note: my computer has not been given plastic surgery in the last month.) "We'll have to SMS a code to your cell phone so you can prove yourself to us!
4. It does so, I enter the 6-digit code, it lets me in.
5. I pay my credit card bill.
6. Repeat next month.
This month, the username wasn't pre-filled, but here's the surprise: it didn't "not recognize" my computer! Isn't technology amazing!
It's probably installing an ActiveX control to query yr 'Windows Genuine Advantage' hardware hash. heh.
I get this too. cardmemberservices.com, which is an identical site except its hooked up to all of their branded cards, has the same checkbox and doublecheck. It actually remembers the username as well as the doublecheck, so I'd venture to guess that part of their code is broken on chase.com.
yeah, part of the reason I canceled my Chase card was because of this. Hate Hate Hate.
That and I had been with them since 2004, had a 750+ credit score, and they refused to give me any better than 21% interest.
one of my *favorite* fabric stores online times out a session after 30 minutes. This means that, wherever you are on their site, if you've been idle for 30 minutes, you get an error saying "sorry! your session has ended! please go to our home page and start shopping again!"
This even happens when, say, I was shopping Monday night, left a browser open, and start working Tuesday morning, and click on a link from a blog/coworker/client saying "check out this product...". Their STUPID FUCKING SITE loses the context entirely, and sends me to a "your session has timed out, please go to our home page and start over" error page, with zero reference to what I was actually trying to get to. This is great, of course, because I usually have four rows of tabs going, and I have to go re-create what I was looking for in the first place, hoping that the original product reference is still in some chat/email log somewhere so that I can figure out what it was in the first place.
Since a major portion of what I have to do is source materials, their shopping site PISSES ME OFF to no end. I've lost hours of time doing research, only to have them delete my entire cart full of carefully chosen materials, because I was idle for thirty minutes. My new solution is to just continually print my shopping cart to PDF so I can at least re-create it later.
they aren't the worst, but they are a nationwide major retailer. No site where you have to have a user account in order to purchase goods should forget what you were trying to buy. ever.
Have you tried telling them what is wrong, why, and how is has negatively effected your shopping experience?
Waving $$s at companies tends to get them to fix the problem.
Another unneccesary kludge of technology is that 'site popup' thing on LJ. Some pople may use it and love it. Personally I don't want a mini-website to pop up any time I mouse over a link. But since the setting is stored in a cookie, any time I use a computer I haven't used before I'm subjected to it again. Or when cookies are auto-purged on my work computer.
Opt-out settings should NOT be stored in cookies.
oh i agree! I've been wondering why more people don't complain bitterly about that "function".
A nice way to make people turn off their "IntelliPictures" preview crud on LJ or elsewhere is to link to your nearest goatse page, (with a catchier link title, ofcourse,) and it'll eventually be turned off.
ARGH yes.
The CMS we use here (cobbled together through McGyver techniques) logs you out every hour. Doesn't remember anything for you.
Entirely pointless because it's only accessible from without our network, so you're already authenticated somewhere.
You want to know what happened? Let me tell you what happened...Microsoft made saving form data the default behavior, and people happened to stay logged into their bank accounts, eBay accounts, etc, while using shared computers. A few lawsuits later, and you've got image-based challenge-response systems, "this computer isn't recognized" ip-validation systems, cookies holding only session ids, and other various security obfuscations. The real solution to the various security problems is not that stupid Firefox 3 behavior of coloring the url bar green, or making extra-big lock icons that scream "we're secure!" on your sites. The real solution is to use SSL all the time. Browser manufacturers have no excuse to work on the time it takes to create and break down an SSL request/response, and to store all cookie data with the server's public key, so each cookie is encrypted differently. Once you can assume that every request you're processing is SSL, and that any cookie data you send will be secure, you can send a lot more data down to be stored at the client.
![[User Picture]](http://p-userpic.livejournal.com/9155/12907) | From: jferg
Thu, 1-May-2008 2:44 PM (UTC)
| (Link)
|
Remember the good old days when 99% of the people on the internet weren't completely non-technical, and had at least a minimalistic grasp of a.) how the internet worked, and b.) how to keep their personal data somewhat private on their own? Yeah. Me too. Unfortunately, that's not the case now, and the majority of the stupid authentication schemes end up being implemented to keep the lusers safe from themselves. Unfortunately, they just end up inconveniencing the other 2% of the internet that doesn't think that myspace is the greatest thing since the hamsterdance. (And yes, I work for security at a bank, and we've been forced to implement most of this crap by the Office of the Comptroller of the Currency. But, given some of the stupid shit that I've found just by perusing our referrer logs, ( http://luser.tripod.com/myaccounts.html, containing the user's entire username/password and account number list, anyone?) I think for the most part it's justified.) The session-timeout bullshit, though - there's just no excuse for that shit. Edited at 2008-05-01 02:45 pm (UTC)
![[User Picture]](http://p-userpic.livejournal.com/9624370/1571) | From: evan
Thu, 1-May-2008 3:32 PM (UTC)
| (Link)
|
Un(der?)documented LJ tip: if you put an ! after your username when you login, you don't have to check off the "remember me" setting. This means Firefox remembers "evan!" as my username so even when my cookies are reset the form autofill remembers enough that I don't have to check the checkbox when I log in again.
MS's Xbox site is extra-retarded in that if you were previously logged in and the session expired, the next time you visit it will immediately take you to an "oh please relog in again now" page. Even if you were just going to the front page, or following a link from another site, or anything else that doesn't even need you to be logged in.
If I remember correctly, it doesn't even give you a "no, go away, continue without logging in" option at that point.
![[User Picture]](http://p-userpic.livejournal.com/61952368/999176) | From: boggyb
Thu, 1-May-2008 5:09 PM (UTC)
Re: Reasons HTTP authentication sucks | (Link)
|
Hear hear.
I spent a chunk of time yesterday attempting to find useful stuff (a headset driver that works with the Windows XP Bluetooth stack). After many pages of google results and several trips to the wayback machine I discovered that there's far too much noise, aggregration sites, advertising sites, dead links, domain squatters and people posting "how do i make this cool thing work without having to read the manual" to have any hope of finding actually useful information.
Oh, so it's not just me/Firefox/my Mac then.
I suppose that's some kind of small comfort.
Recently I've found a pretty good solution for this, which is the iMacros plugin for Firefox. It's basically just very simple macro recording and playback that does all the smart things you would hope. So I can record myself performing complicated multi-step login procedures, and then save the macro into a bookmark, which is basically the easiest thing ever. It's a good fix.
Jesus, the fact that hardly anyone uses HTTP auth these days, yet also break the idea that a URI encapsulates all page state (the fact that hyperdocuments now have state is a whole barrel of hate of its own), TROLLS ME ROTTEN.
"Oh, hai, we redirected via this shitty form that just boings back to the URI you came from, and now all the form data and AJAX wankery state you were doing has been lost. Kthxbye!" | |
