Developers of Sympa

[John-Paul Robinson <address@concealed>]

How do RSS feeds deal with HTTP authentication?  If a URL for a feed is 
protected by this is there a prescribed behavior?  More specifically, how 
does an RSS reader deal with redirection, if it occurs?

If RSS is really cookie-less then the above won't work, so what about a 
session number in the feed?  Sessions could time-out so potential exposure 
can be controlled but how does RSS deal with things like login to even 
handle a session URL?

Here are a couple of URLs about private rss feeds:

Older discussion:

  http://labs.silverorange.com/archives/2003/july/privaterss

How Radio UserLand does them

  http://radio.userland.com/stories/storyReader$7001 

I'm not finding any clear statements on how this should be handled.  If 
there is to be passwords/sessionids in URLs they really need to be 
short-lived in order to keep things private.  This has complexities of 
it's own.  

Another option might be to use SSL-based authentication... while that 
would probably work (given an RSS client supports it), it would have it's 
one set of deployment issues.

~jpr

On Thu, 2 Mar 2006, Serge wrote:

> The way we manage authentication in Sympa is going to change totally as 
> described in the page 
> http://www.sympa.org/wiki/doku.php?id=project_direction . But this will 
> not solve the problem.
> Because RSS readers to not manage cookies, the only solution could be 
> collect authentication information from the URL ( a part of the URL 
> could be some personnal secret sent to a particular authenticated user 
> ). In fact, we could introduce the sympa_user cookie value in the URL.  
> Unfortunitly, this secret URL may become public as soon as some user 
> brodcast this URL to some french or copy it to a page which is collected 
> by google ...
> 
> Any proposition ?
> Serge
>