[whatwg] Solving the login/logout problem in HTML

Ian Hickson ian at hixie.ch
Wed Nov 26 03:14:04 PST 2008


On Wed, 26 Nov 2008, Julian Reschke wrote:
> Ian Hickson wrote:
> > > Anyway, if it's out of sync, authentication is not going to work, so 
> > > it should be noticed quickly.
> > 
> > On the contrary, authentication is going to work fine for 99% of users 
> > and it's only when a lone user tries using a bot that it'll break.
> 
> Yes, that's what I meant: it will not work for the bot. We apparently 
> disagree how frequently this is going to be used.

Yes.


On Wed, 26 Nov 2008, Julian Reschke wrote:
> > 
> > Do you have a concrete example where the login form is complex in a 
> > manner where the fields can't be identified and there is reason to 
> > believe that a bot will want to authenticate but won't have been given 
> > enough information to do so?
> 
> Well, it was you stating that the form could be arbitrarily complex.

It can, yes. HTML allows arbitrarily complex forms, and we don't want to 
limit login forms to just two fields and a button. (I regularly log in to 
systems where the login forms are two text fields and a checkbox, or two 
text fields and a drop down, or five or so text fields. But in none of 
these cases would I personally expect a bot to ever have my credentials.)


> If it's just two text fields, one of which of type password, then no, it 
> wouldn't be hard.

Ok.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list