I recently wrote about LiveJournal's cookie-based authentication mechanism which makes it difficult for RSS aggregators to read "protected" LiveJournal feeds since the aggregator would have to "reuse steal cookies from your browser instead of using well defined HTTP authentication mechanisms".

My blog post and subsequent email to the LiveJournal development team resulted in the following response and discussion by the LiveJournal developer community as well as the following [excerpted] email response from Brad Fitzpatrick

We don't intend for aggregators to support our authentication system, and
we don't want it to be any sort of standard.  The fact that it works is
just an accident, really:  every page on our site is dynamic, and every
page knows who the remote user is, so when the RSS page queries the
recent entries for that user, the code which provides that is security
aware, and so doesn't provide things which it shouldn't.

Please tell people not to support our auth.  We don't want them to go
through that ugly hassle, and it might even change.  We don't consider it
a stable or supported interface at all.

Our intent is support HTTP Digest Auth in the future (but NOT basic auth)
specifically for RSS/Atom feed pages. 

I guess that clears things up. I'd like to thank the LiveJournal folks for promptly responding to my questions and clarifying the situation. Nice.


Comments are closed.