W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2007

[whatwg] webforms2: new hash attribute for input ?

From: Kornel Lesinski <kornel@osiolki.net>
Date: Wed, 15 Aug 2007 22:57:37 +0100
Message-ID: <op.tw4fabz44suneb@aimac.local>
On Wed, 15 Aug 2007 16:08:51 +0100, Julien TOUCHE  
<julien.touche at lycos.com> wrote:

> <input type="password" hash="sha256" name="mypass" />
>         so the browser transmits only the corresponding hash of the
> given value.

Unfortunately this will not secure browsing session, because once user is  
authenticated, server will have to use cookies which could be stolen and  
used to impersonate the user.


My suggestion is to kill two birds with one stone by marrying forms with  
Digest authentication (RFC 2617).

Digest is already implemented in browsers, doesn't require storage of  
unhashed passwords, protects entire browsing session (with integrity  
checking of payload and stopping replay attacks) and can provide mutual  
authentication - it would be wasteful to re-invent and re-implement all  
that for forms.

The dealbreaker in current Digest implementations is the user interface -  
looks unfriendly, can't be customized, website can't offer account  
registration until user cancels login and there's no logout mechanism.

This can be solved by providing form controls that would log user in using  
Digest authentication:

<form method=digest>
<input type=hidden name=realm value="my realm">
<input type=text name=username>
<input type=password name=password>
</form>

or

<input id=myusernameid>
<input type=password authentication=digest realm="my realm"  
username=myusernameid>

UI for logging out could be as simple as <button type=logout>, however  
implementation details are probably outside scope of HTML 5.

-- 
regards, Kornel Lesi?ski
Received on Wednesday, 15 August 2007 14:57:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:36 UTC