On 16/09/05, Ævar Arnfjörð Bjarmason <avarab(a)gmail.com> wrote:
Isn't it possible to just use HTTP authentication
with RSS/Atom feeds?
Or is this a problem for some reason?
*sigh*
Sorry, that's a rude start, but this conversation seems doomed to go
round in circles every few months - until someone implements a decent
solution, I guess. See, for example,
http://mail.wikipedia.org/pipermail/wikitech-l/2004-December/026562.html
- where Brion points out that even if most RSS readers can use HTTP
authentication, MediaWiki can't, so it's not really all that helpful.
Also, remember that RSS readers come in all shapes and sizes,
including web-based aggregators, and telling people to type their
username and password into those as plain text (i.e. in the URL) is
*far* worse than just making their watchlist public. Hence the need
for an authentication token that's not the user's normal password, and
hence it might as well just be at the end of the URL, rather than in
the special "user:pass@host" format.
And in case anyone's about to mention some RSS readers supporting
cookies (because they're built into browsers):
http://bugzilla.wikimedia.org/show_bug.cgi?id=471#c12:
But anyway, the sense in which that approach is kind
of hacky is that it's not really a "deficiency in other RSS readers" -
they're
not web browsers, so they don't support rendering and submitting an HTML form
(currently the only way of logging in). Who knows whether or not they'd support
cookies in general, but the question is how to do the authentication in the
first place.
I remain convinced that the only reasonable solutions, which will
apply to *all* RSS readers, are:
1) allow users to opt-in to RSS, and make sure they realise this means
anyone can look at it
2) allow users to opt-in, and give them a pseudo-secret URL when they do
If anyone can come up with anything equally flexible but more secure,
fine; if not, anyone interested in this feature should work on
implementing it on those principles. (IMHO)
--
Rowan Collins BSc
[IMSoP]