At the moment the only way to pass authentication information to TWiki when TemplateLogin? is in use is via the username and password parameters. This is insecure, and rather hard to code for when writing, for example, REST handlers.

HTTP has a standard header, Authorization, that is used to pass auth information to the server when ApacheLogin? is in use. IMHO there's no reason not to use this for TemplateLogin? as well, but with the big difference of course that the header needs to be explicitly included in the request, rather than appearing automagically.

I'm setting this to Urgent because I feel it really needs to be done sooner rather than later.

-- TWiki:Main/CrawfordCurrie - 19 Jul 2007

"Urgent" would block a release, and for a pretty long time in this case, as far as I can tell.

The Authorization header is supplied by browsers, after they have acquired the appropriate credentials, for example a user id and a password. As far as I can tell, there's no chance to convince browsers to create this header from something as simple as a TemplateLogin HTML form.

Browsers usually ask for a user id and password if they receive a 401 status code accompanied by a WWW-Authenticate header, which you can both send from a CGI script. But if they do, they are using their own forms. All you can provide from your CGI is a realm string which can the user what his user id will be used for. So there's no chance that this will look like a TemplateLogin.

Username and password aren't really more secure when used in the Authorization header as compared to form parameters of a POST request. Both needs to be used with HTTPS if you are serious about security.

So I'm setting this to "Enhancement".

-- TWiki:Main.HaraldJoerg - 20 Jul 2007

sadly, apache doesn't pass on the Authorization header to CGI's - and while i have found a Rewrite thta might help, it didn't work on my system.

-- SvenDowideit - 09 Dec 2010