[whatwg] Solving the login/logout problem in HTML

Tab Atkins Jr. jackalmage at gmail.com
Tue Nov 25 05:37:16 PST 2008


Ian Hickson wrote:

> As can be seen in the feedback below, there is interest in improving the
>
experience with logging in and out of Web sites.
>

> Currently there are two main mechanisms: HTTP authentication, and
>
cookie-based authentication with a form login.
>

> Benefits of form authentication over HTTP authentication:
>
 - supports creating an account
>
 - supports recovering a lost password
>
 - supports showing the login form inline with other content
>
 - supports styling the login form
>
 - supports an obvious way of logging out from within the page
>

> Limitations of form authentication:
>
 - no way to indicate that access is being denied because the credentials
>
  passed were wrong or because there were no credentials passed
>
 - insecure when unencrypted
>

> It seems to me that the first limitation of form authentication could be
>
removed by inventing a new WWW-Authenticate challenge that means "reply to
>
the form in the page". I have now specified such a value in HTML5 (since
>
it is specific to entity bodies that contain HTML forms):


This bit confused the hell out of me.  Like Martin Atkins (no relation...
probably) suggested, whenever someone's auth is bad for whatever reason I
redirect them to the login page, possibly with an error message explaining
what went wrong.

I would never have imagined trying to solve this problem at the level you're
suggesting, nor do I think it is particularly necessary, since every server
side language can do a redirect by themselves.

~TJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20081125/5f6738e3/attachment.htm>


More information about the whatwg mailing list