[whatwg] Solving the login/logout problem in HTML

Jonas Sicking jonas at sicking.cc
Wed Nov 26 10:27:04 PST 2008 

Ian Hickson wrote:
> As can be seen in the feedback below, there is interest in improving the 
> experience with logging in and out of Web sites.
> 
> Currently there are two main mechanisms: HTTP authentication, and 
> cookie-based authentication with a form login.
> 
> Benefits of form authentication over HTTP authentication:
>  - supports creating an account
>  - supports recovering a lost password
>  - supports showing the login form inline with other content
>  - supports styling the login form
>  - supports an obvious way of logging out from within the page
> 
> Limitations of form authentication:
>  - no way to indicate that access is being denied because the credentials 
>    passed were wrong or because there were no credentials passed
>  - insecure when unencrypted
> 
> It seems to me that the first limitation of form authentication could be 
> removed by inventing a new WWW-Authenticate challenge that means "reply to 
> the form in the page". I have now specified such a value in HTML5 (since 
> it is specific to entity bodies that contain HTML forms):
> 
>    challenge = "HTML" [ form ]
>    form      = "form" "=" form-name
>    form-name = quoted-string
> 
> (There's no "credentials" value for this scheme, since the login is done 
> as a POST to a login script and then the server sets proprietary login 
> information, like a cookie using Set-Cookie.)
> 
> So when you get to a page that expects you to be logged in, it return a 
> 401 with:
> 
>    WWW-Authenticate: HTML form="login"
> 
> ...and there must be a <form> element with name="login", which represents 
> the form that must be submitted to log in.
> 
> We could also make HTTP login work better, but frankly I'm not convinced 
> there's much point. The form login cowpath is so commonly frequented that 
> not only has someone already gone and paved it but it has also been 
> tree-lined, has garbage collection scheduled for Tuesdays and Thursdays, 
> and will be electing a representative at the next general election.

As I said at the F2F meeting in France, I don't think this is the right 
way to go. I think moving away from passwords and HTML logins are 
absolutely necessary.

There are much better identity based authentication schemes out there. 
Many do have problems, but these problems can be addressed.

While there is no such thing as an official mozilla position, I'm 
personally not very interested in spending time on adding this feature. 
I'd much rather find a identity based solution that significantly can 
improve the current, really bad, situation regarding authentication.

/ Jonas

More information about the whatwg mailing list