[whatwg] Solving the login/logout problem in HTML

Julian Reschke julian.reschke at gmx.de
Wed Nov 26 01:48:20 PST 2008


Hi,

below some more feedback about the initial proposal.

This addresses the "forms served with status 200 status are bad for 
non-interactive/non-HTML-based clients" (partly). That is good.

It does not try to address the "standard HTTP authentication doesn't 
work well in HTML-based UAs", which we discussed in Mandelieu. That's 
ok; it's useful to think about these as separate issues.

Ian Hickson wrote:
> ...
> As can be seen in the feedback below, there is interest in improving the 
> So when you get to a page that expects you to be logged in, it return a 
> 401 with:
> 
>    WWW-Authenticate: HTML form="login"
> 
> ...and there must be a <form> element with name="login", which represents 
> the form that must be submitted to log in.
> ...

For security reasons, I'd prefer that to be "the <form> element", 
instead of "a <form> element" -- having multiple copies of the name in 
the same document should be considered a fatal error.

> We could also make HTTP login work better, but frankly I'm not convinced 
> there's much point. The form login cowpath is so commonly frequented that 
> not only has someone already gone and paved it but it has also been 
> tree-lined, has garbage collection scheduled for Tuesdays and Thursdays, 
> and will be electing a representative at the next general election.

Which doesn't mean that it's not a good idea to think about it 
nevertheless, but let's just keep that in a separate discussion.

>> Yes, that's a simpler option. :-) (Provided that current browsers still 
>> ask for authentication even when given a 200 OK.)
> 
> I don't think they do now, but it's something we can move towards.

I think asking for credentials when the status is 200 would be a bug.

> ...

BR, Julian



More information about the whatwg mailing list