All in the <head> – Ponderings and code by Drew McLellan –

Authentication Required

With the ever increasing marketing demands to gather as much information as possible about site readership, more and more sites are locking the doors and requiring registration before letting anyone in to view their best content. Whilst this is good for the marketeers (and good for the site if that information can be turned around into revenue), it can be inconvenient for users. The fundamental and normally simple act of creating a hyperlink to a page can become a whole lot more complex.

The New York Times site is a classic example. Frequently I’ve followed links on weblogs and such to apparently interesting articles on NYTimes.com. Not once have I succeeded in reading one, due to their insistence on registration. As I have no motivation to register (I can search for the story elsewhere), I’ve never registered – there’s no benefit.

That particular rant aside, this raises an interesting question. What sites like NYTimes.com are doing by redirecting the user to a login/register page on following a link, is to effectively say that the page they have requested requires authentication. Oh, hold on – don’t we have standards for this?

Leaving aside for the moment the fact that HTTP has it’s own authentication methods and the fact that handling of those methods in user agents leaves a little to be desired, shouldn’t the above described situation generate an HTTP 401? Looking at it from the point of view that many sites will implement this I’ll-show-you-mine-if-you-whore-your-data approach by utilising an HTTP 301 (moved permanently) to redirect to a login/register page, a 401 would seem more appropriate.

The question remains:- should HTTP authentication be preferred for out-and-out authentication is required scenarios due to its mere existence, coupled with being an established standard?

If every page that required authentication issued a valid 401, then a consumer could perform a look-ahead before structuring a link. More realistically, if a site like the NYTimes.com requires authentication to access a URI in a link on a given page, the user’s browser could more seamlessly handle the authentication on the user’s behalf. Abstract that idea out to web applications – and in particular non-public web applications, or online software products. Stuff that’s more important to your day than eBay. If the browser was able to handle authentication in a more sophisticated way than recalling form input, that’s another big interface hurdle flattened for the user. You should see my users – I need all the obstacles flattened that I can get.

But then, we’d need more intelligent browsers first. So yeah, one day perhaps.