W3C home > Mailing lists > Public > public-bpwg-comments@w3.org > April to June 2009

http://www.w3.org/TR/2009/WD-mwabp-20090507/#bp-enable-automatic-login feedback

From: Kai Hendry <hendry@aplix.co.jp>
Date: Tue, 12 May 2009 15:39:55 +0100
Message-ID: <b24851260905120739g978d9cdk38517129c2beedad@mail.gmail.com>
To: public-bpwg-comments@w3.org
I've been experimenting with a "password manager" demo which would
keep user/pass encrypted on a *local* filestore and then using
something like Google's ServiceLoginAuth automatically log in the
mobile user.
http://en.wikipedia.org/wiki/Password_manager

On other Websites which don't have a simple login API like
ServiceLoginAuth, I grab the form with some PHP [1] (getting around
the browser's same origin policy) and Jquery [2] and fill in the form
and submit it. This differs site by site, with different names for
user/pass.


I've noticed sites inconsistently try prevent "cross domain logins" by
adding some hidden form fields, though this technique sometimes does
not work if you simply grab the whole form. [2]

Sites like twitter don't fall for this trick and return:
403 Forbidden: The server understood the request, but is refusing to fulfil it.

Facebook says: Security Notice
For your security, never enter your Facebook password on sites not
located on Facebook.com.

MyOpenId says:
You have followed a bad link. Please inform the owners of the site
from which you came.

However this trick does work on several other sites, e.g.:
http://static.webvm.net/login/?u=http://www.flickr.com/signin/

[1] http://static.webvm.net/login/fetch.txt
[2] http://static.webvm.net/login/index.txt

If a mobile browser supports bookmarklets (I'm unaware of one that
does), then approaches used by 'passpack' or 'clipperz', that fill in
the form fields on the origin's page might work.
http://en.wikipedia.org/wiki/Password_manager#Online_password_manager


It might be good to discuss if we can somehow mitigate Webmasters'
concerns for cross domain logins. Or not. :)

Automatic logins on mobiles could be achieved by UAs (not plugins,
since there is no interface for this functionality), much like they
are done poorly today on the desktop. There are several portability
shortcomings with this. For example my desktop Firefox does not share
its saved passwords with my Android G1's Webkit browser. Though
ideally I want them in sync!

Despite Webmasters concerns, I do like the idea of having my
identities managed in one place, ultimately like what an OpenID provider
does. OpenID also allows innovators to create a provider service which
can try new authentication (via a plugin for example), without
replacing the user agent.

Therefore I would encourage the best practice of using OpenID logins,
as a key enabler of automatic logins.

Kind regards,
Received on Tuesday, 12 May 2009 14:40:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 15 June 2012 12:13:33 GMT