On 16/09/05, Ævar Arnfjörð Bjarmason avarab@gmail.com wrote:
Isn't it possible to just use HTTP authentication with RSS/Atom feeds? Or is this a problem for some reason?
*sigh*
Sorry, that's a rude start, but this conversation seems doomed to go round in circles every few months - until someone implements a decent solution, I guess. See, for example, http://mail.wikipedia.org/pipermail/wikitech-l/2004-December/026562.html - where Brion points out that even if most RSS readers can use HTTP authentication, MediaWiki can't, so it's not really all that helpful.
Also, remember that RSS readers come in all shapes and sizes, including web-based aggregators, and telling people to type their username and password into those as plain text (i.e. in the URL) is *far* worse than just making their watchlist public. Hence the need for an authentication token that's not the user's normal password, and hence it might as well just be at the end of the URL, rather than in the special "user:pass@host" format.
And in case anyone's about to mention some RSS readers supporting cookies (because they're built into browsers): http://bugzilla.wikimedia.org/show_bug.cgi?id=471#c12:
But anyway, the sense in which that approach is kind of hacky is that it's not really a "deficiency in other RSS readers" - they're not web browsers, so they don't support rendering and submitting an HTML form (currently the only way of logging in). Who knows whether or not they'd support cookies in general, but the question is how to do the authentication in the first place.
I remain convinced that the only reasonable solutions, which will apply to *all* RSS readers, are: 1) allow users to opt-in to RSS, and make sure they realise this means anyone can look at it 2) allow users to opt-in, and give them a pseudo-secret URL when they do
If anyone can come up with anything equally flexible but more secure, fine; if not, anyone interested in this feature should work on implementing it on those principles. (IMHO)