[whatwg] Solving the login/logout problem in HTML

Ian Hickson ian at hixie.ch
Wed Nov 26 02:12:44 PST 2008

On Wed, 26 Nov 2008, Julian Reschke wrote:
> Ian Hickson wrote:
> > ...
> > As can be seen in the feedback below, there is interest in improving the So
> > when you get to a page that expects you to be logged in, it return a 401
> > with:
> > 
> >    WWW-Authenticate: HTML form="login"
> > 
> > ...and there must be a <form> element with name="login", which represents
> > the form that must be submitted to log in.
> > ...
> For security reasons, I'd prefer that to be "the <form> element", 
> instead of "a <form> element" -- having multiple copies of the name in 
> the same document should be considered a fatal error.

Having multiple <form> elements with the same name is already an error.

I'm not sure what you mean by "fatal" error. The spec precisely defines 
which form should be used in the case of multiple forms with the same 
name. Could you describe the attack scenario you are considering?

> > > Yes, that's a simpler option. :-) (Provided that current browsers 
> > > still ask for authentication even when given a 200 OK.)
> > 
> > I don't think they do now, but it's something we can move towards.
> I think asking for credentials when the status is 200 would be a bug.

Even in the asynchronous way mpt suggested? I think it would go a long way 
towards addressing the limitations of HTTP authentication. One of the 
great benefits of HTML authentication forms is that they can be made 
available in the equivalent of a 200 OK situation as opposed to only in 
the equivalent of a 401 situation.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list