+++++++++++++++++++++++++++++++++++
Authorization over multiple domains
+++++++++++++++++++++++++++++++++++
-----------------------
And why it doesn't work
-----------------------

:Author: Guido Goldstein
:Email: gst@infrae.com
:License: BSD, see LICENSE.txt


1. Methods of authentication and authorization
==============================================

1.1 Basic Authentication
------------------------

This is the most simple authentication method available today. And
it's the only one supported well on all known browsers. Despite the
fact that is completely insecure, the afore mentioned fact that it is
supported well by even the oldest browser still makes it a choice.

Basic auth works on the HTTP level by expecting/setting special
headers in the request and the response.

Unfortunately Basic authentication only works for one and only one
host at a time. This even includes the port number, which is
considered a part of the host specification in this case.

This means that a so called `single-sign-on` over multiple hosts is
not possible with Basic auth.

This is bad[tm], because Railroad is ment to provide a repository for
CMSs on different hosts and in different domains.

Suggested reading:
 * http://www.w3.org/Protocols/rfc2616/rfc2616.html
 * http://www.ietf.org/rfc/rfc2617.txt

1.2 Cookie based authentication
-------------------------------

The cookie based authentication also uses HTTP headers. After the user
has given his credentials to the server, the server attaches a special
header to the response which is stored in the client. This attachement
is called a cookie. The client (browser) sends the cookie along with
every request to this server or any server in a given domain.

Based on the cookie the server can check if a user is allowed to
access its content or not. The use of cookies also allows to store
state information for a user on the server (so called sessions).

The original specification (and most implementations) are not secure
in the way that the content of the cookie can be changed by hostile
entities. So, cookies are also not secure.

Today cookies are supported by most browser and are used widely. One
of the good aspects of cookies is that they can be used for more than
one host as long as all hosts belong to the same domain. Which leads
to the conclusion that cookies are also usesless for interdomain
authorization.

Suggested reading:
 * http://www.faqs.org/rfcs/rfc2965.html




..
   Local Variables:
   mode: rst
   indent-tabs-mode: nil
   sentence-end-double-space: nil
   fill-column: 70
   End:
