What happened to HTTP authentication?

It simply isn't a win.<p>* Application designers want to control the login/logout experience for users; HTTP auth delegates it to the browser's UI. Here's a telling example: where do you put the "Forgot password?" option on a site that uses HTTP auth?<p>* There's no logout and no inherent state tracking and to add either of these in-app you have to use the same hacky-seeming techniques you need for form-based auth.<p>* The "advanced" stuff you can do with HTTP auth (digest auth, for instance) isn't a real security win, especially vs. form-auth and TLS.<p>* The advanced stuff that is a win, like multi-factor, requires you to keep step-by-step control over the login experience and so isn't amenable to being delegated to the browser.<p>* It's just not better than web forms as a user experience. Popups are intrusive and ugly.<p>At the end of the day, there are a couple minor changes all browsers could make in concert merely to make HTTP Auth experience as good as the form auth experience; this would cost many tens of millions of dollars to deploy and would result in an Internet unlikely to be one iota better than what we have now.

I think the horse is out of the barn on this one - HTTP auth isn't going to come back. Even if all the browser vendors went and fixed the issues listed in this article tomorrow, HTTP auth still wouldn't support federated identity scenarios which is being used more and more every day.

The reason why we should use HTTP authentication is similar to why we can have custom stylesheets, or why everyone should just use nntp instead of web forums, or a MUA instead of web mail.<p>"Content" shouldn't provide its own "style" - the user should be free to choose whatever matter of presentation they desire.<p>Furthermore, using HTTP authentication everywhere (at least as an omnipresent alternative) would make sites much more programmable, and thus accessible.

"HTTP Authentication may be RESTful, but it's not very USEful." <a href="http://www.artima.com/weblogs/viewpost.jsp?thread=155252" rel="nofollow">http://www.artima.com/weblogs/viewpost.jsp?thread=155252</a>

People don't like popups. Esp. none with just bare text.

Sites dead... Google's got it: <a href="http://webcache.googleusercontent.com/search?q=cache:http://www.rooftopsolutions.nl/blog/what-happened-to-http-authentication&#38;hl=en&#38;strip=1" rel="nofollow">http://webcache.googleusercontent.com/search?q=cache:http://...</a>

It lives on very promisingly--and largely unadulterated--in the world of SIP digest authentication for a) registration requests (401 Unauthorized) and b) proxy challenges for outbound calls (407 Proxy Authentication Required).

Isn't the big issue that none of the browsers ever implemented logout of any kind, and just expected you to close your browser?

Basic auth is insecure except over SSL. Digest auth is secure, but Internet Explorer ruined it for everyone.

IIRC, the digest HTTP auth stuff essentially forces you to store cleartext passwords.