Interesting problem we hit on Ecademy. We have private clubs where the discussion is supposed not to be world viewable. Normally club discussions are available via RSS. So inevitably there are people (like me) who would rather keep up with new posts via RSS and wanted RSS of the private club posts as well. The first attempt added parameters for ID+password: if it validated you got the posts. Not terribly secure but it worked. But then somebody posted the URL to Newsgator web and they started spidering the feed so that all the posts were now turning up in their public search. Oooops! I switched to HTTP AUTH, but had real problems getting PHP to accept it in a form where I could validate it. All the different news readers seemed to have subtly different ways of passing the auth data and I frequently never got the data in PHP.

Now although most of the news readers support AUTH and do the right thing by not making the data public, I have no control over this. Once that data gets out via another route from the plain old HTML, and is read by somebody else's code, it's effectively public. The only reason we can rely on browsers to respect HTTP AUTH is that once accepted we can be reasonably sure that it is only displayed on the screen of the person entering the password. But even that is questionable when things like CURL and wget can be used.

So the end result is that I'd advise people to back away from private feeds and just not provide them. Which is something of a problem as there is a definite need for private RSS.


[ << The weblog calendar ] [ Uk politics and the complete failure of the opposition >> ]
[ 20-Oct-05 8:24am ] [ , ]