[whatwg] webforms2: new hash attribute for input ?
Kornel Lesinski
kornel at osiolki.net
Wed Aug 15 14:57:37 PDT 2007
On Wed, 15 Aug 2007 16:08:51 +0100, Julien TOUCHE
<julien.touche at lycos.com> wrote:
> <input type="password" hash="sha256" name="mypass" />
> so the browser transmits only the corresponding hash of the
> given value.
Unfortunately this will not secure browsing session, because once user is
authenticated, server will have to use cookies which could be stolen and
used to impersonate the user.
My suggestion is to kill two birds with one stone by marrying forms with
Digest authentication (RFC 2617).
Digest is already implemented in browsers, doesn't require storage of
unhashed passwords, protects entire browsing session (with integrity
checking of payload and stopping replay attacks) and can provide mutual
authentication - it would be wasteful to re-invent and re-implement all
that for forms.
The dealbreaker in current Digest implementations is the user interface -
looks unfriendly, can't be customized, website can't offer account
registration until user cancels login and there's no logout mechanism.
This can be solved by providing form controls that would log user in using
Digest authentication:
<form method=digest>
<input type=hidden name=realm value="my realm">
<input type=text name=username>
<input type=password name=password>
</form>
or
<input id=myusernameid>
<input type=password authentication=digest realm="my realm"
username=myusernameid>
UI for logging out could be as simple as <button type=logout>, however
implementation details are probably outside scope of HTML 5.
--
regards, Kornel Lesiński
More information about the whatwg
mailing list