[whatwg] Solving the login/logout problem in HTML
Tab Atkins Jr.
jackalmage at gmail.com
Tue Nov 25 05:37:16 PST 2008
Ian Hickson wrote:
> As can be seen in the feedback below, there is interest in improving the
>
experience with logging in and out of Web sites.
>
> Currently there are two main mechanisms: HTTP authentication, and
>
cookie-based authentication with a form login.
>
> Benefits of form authentication over HTTP authentication:
>
- supports creating an account
>
- supports recovering a lost password
>
- supports showing the login form inline with other content
>
- supports styling the login form
>
- supports an obvious way of logging out from within the page
>
> Limitations of form authentication:
>
- no way to indicate that access is being denied because the credentials
>
passed were wrong or because there were no credentials passed
>
- insecure when unencrypted
>
> It seems to me that the first limitation of form authentication could be
>
removed by inventing a new WWW-Authenticate challenge that means "reply to
>
the form in the page". I have now specified such a value in HTML5 (since
>
it is specific to entity bodies that contain HTML forms):
This bit confused the hell out of me. Like Martin Atkins (no relation...
probably) suggested, whenever someone's auth is bad for whatever reason I
redirect them to the login page, possibly with an error message explaining
what went wrong.
I would never have imagined trying to solve this problem at the level you're
suggesting, nor do I think it is particularly necessary, since every server
side language can do a redirect by themselves.
~TJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20081125/5f6738e3/attachment.htm>
More information about the whatwg
mailing list