- From: Kai Hendry <hendry@aplix.co.jp>
- Date: Tue, 12 May 2009 15:39:55 +0100
- To: public-bpwg-comments@w3.org
I've been experimenting with a "password manager" demo which would keep user/pass encrypted on a *local* filestore and then using something like Google's ServiceLoginAuth automatically log in the mobile user. http://en.wikipedia.org/wiki/Password_manager On other Websites which don't have a simple login API like ServiceLoginAuth, I grab the form with some PHP [1] (getting around the browser's same origin policy) and Jquery [2] and fill in the form and submit it. This differs site by site, with different names for user/pass. I've noticed sites inconsistently try prevent "cross domain logins" by adding some hidden form fields, though this technique sometimes does not work if you simply grab the whole form. [2] Sites like twitter don't fall for this trick and return: 403 Forbidden: The server understood the request, but is refusing to fulfil it. Facebook says: Security Notice For your security, never enter your Facebook password on sites not located on Facebook.com. MyOpenId says: You have followed a bad link. Please inform the owners of the site from which you came. However this trick does work on several other sites, e.g.: http://static.webvm.net/login/?u=http://www.flickr.com/signin/ [1] http://static.webvm.net/login/fetch.txt [2] http://static.webvm.net/login/index.txt If a mobile browser supports bookmarklets (I'm unaware of one that does), then approaches used by 'passpack' or 'clipperz', that fill in the form fields on the origin's page might work. http://en.wikipedia.org/wiki/Password_manager#Online_password_manager It might be good to discuss if we can somehow mitigate Webmasters' concerns for cross domain logins. Or not. :) Automatic logins on mobiles could be achieved by UAs (not plugins, since there is no interface for this functionality), much like they are done poorly today on the desktop. There are several portability shortcomings with this. For example my desktop Firefox does not share its saved passwords with my Android G1's Webkit browser. Though ideally I want them in sync! Despite Webmasters concerns, I do like the idea of having my identities managed in one place, ultimately like what an OpenID provider does. OpenID also allows innovators to create a provider service which can try new authentication (via a plugin for example), without replacing the user agent. Therefore I would encourage the best practice of using OpenID logins, as a key enabler of automatic logins. Kind regards,
Received on Tuesday, 12 May 2009 14:40:31 UTC