Brendan Taylor on Why It’s Worth Fixing HTTP Authentication (through Ryan Tomayko):
(HTTP authentication) is in fact it is preferable to cookie-based authentication in several ways:
- it can be more secure than HTML forms when SSL is not available. Digest authentication only sends hashed passwords. Servers can trade system resources for immunity to replay and session hijacking attacks (see section 4.5 of RFC2617).
- it can be completely stateless; multiple servers running the same site don’t need to share a session store when Basic authentication is used.
- it simplifies caching. Responses to unauthenticated requests are cached normally, responses to authenticated requests go uncached.
- it works well with AJAX and with automated clients. Do you really need separate authentication mechanisms for your front-end and for your API?
I can’t agree more. The last two make it even more attractive when compared to forms/cookies based authentication.
To make this work, all the server has to do is to provide some hypertext in its 401 responses to kickstart registration or some hints about obtaining credentials.
