Timothy D. Morgan has published an excellent paper describing
- How UI limitations hinder adoption of HTTP based authentication
- How UI behaviors are/can be abused pertaining to HTTP auth
- Observations on Cookie limitations
- Proposals for browser vendors to allow for more widescale adoption of HTTP based auth such as digest
From the paper
"In this paper, we compare the security weaknesses and usability limitations of both cookie based session management and HTTP digest authentication; demonstrating how digest authentication is clearly the more secure system in practice. We propose several small changes in browser behavior and HTTP standards that will make HTTP authentication schemes, such as digest authentication, a viable option in future application development."
One of the better papers I've read in a long time and certainly worth checking out if you consider yourself an HTTP haxor.
Paper: http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
