Remix clone Hacker News

new | show | ask | jobs Github

▲

bvrmn 4 days ago

> if you store session data on the server, identify the user using the Authorization header.

And by what miracle browser would send Authorization header? Who sets it? For which domain it could be set?

▲

IgorPartola 4 days ago | parent [-]

Take a look at how basic auth is implemented in browsers today. Now imagine expanding it to (a) provide a much nicer and somewhat customizable UI for entering your credentials and (b) using proper encryption.

▲

bvrmn 4 days ago | parent [-]

What about redirects from other sites, should Authorization behave like cookies? My point is cookies are ok for auth, and you basically should invent same things with another header.

▲

IgorPartola 3 days ago | parent [-]

That header was invented for this exact purpose before cookies were invented. It has wide browser support and semantics that make sense. Moreover, the design specifically includes provisions for additional auth mechanisms (basic and digest being the two most widely used). The downside was that the UI for setting that header was ugly.

Your comments remind me of the people who didn’t get HTTP verbs and wanted to use POST for everything before rediscovering REST.

	▲	bvrmn 3 days ago \| parent [-]
		> and semantics that make sense A paradise for CSRF. > Your comments remind me of the people who didn’t get HTTP verbs and wanted to use POST for everything before rediscovering REST. REST is not about HTTP methods if you read the paper. It's curious you have a direct map between HTTP methods and REST verbs as your mental model.