- From: Kornel Lesinski <kornel@osiolki.net>
- Date: Wed, 15 Aug 2007 22:57:37 +0100
On Wed, 15 Aug 2007 16:08:51 +0100, Julien TOUCHE <julien.touche at lycos.com> wrote: > <input type="password" hash="sha256" name="mypass" /> > so the browser transmits only the corresponding hash of the > given value. Unfortunately this will not secure browsing session, because once user is authenticated, server will have to use cookies which could be stolen and used to impersonate the user. My suggestion is to kill two birds with one stone by marrying forms with Digest authentication (RFC 2617). Digest is already implemented in browsers, doesn't require storage of unhashed passwords, protects entire browsing session (with integrity checking of payload and stopping replay attacks) and can provide mutual authentication - it would be wasteful to re-invent and re-implement all that for forms. The dealbreaker in current Digest implementations is the user interface - looks unfriendly, can't be customized, website can't offer account registration until user cancels login and there's no logout mechanism. This can be solved by providing form controls that would log user in using Digest authentication: <form method=digest> <input type=hidden name=realm value="my realm"> <input type=text name=username> <input type=password name=password> </form> or <input id=myusernameid> <input type=password authentication=digest realm="my realm" username=myusernameid> UI for logging out could be as simple as <button type=logout>, however implementation details are probably outside scope of HTML 5. -- regards, Kornel Lesi?ski
Received on Wednesday, 15 August 2007 14:57:37 UTC