- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Tue, 25 Nov 2008 07:37:16 -0600
Ian Hickson wrote: > As can be seen in the feedback below, there is interest in improving the > experience with logging in and out of Web sites. > > Currently there are two main mechanisms: HTTP authentication, and > cookie-based authentication with a form login. > > Benefits of form authentication over HTTP authentication: > - supports creating an account > - supports recovering a lost password > - supports showing the login form inline with other content > - supports styling the login form > - supports an obvious way of logging out from within the page > > Limitations of form authentication: > - no way to indicate that access is being denied because the credentials > passed were wrong or because there were no credentials passed > - insecure when unencrypted > > It seems to me that the first limitation of form authentication could be > removed by inventing a new WWW-Authenticate challenge that means "reply to > the form in the page". I have now specified such a value in HTML5 (since > it is specific to entity bodies that contain HTML forms): This bit confused the hell out of me. Like Martin Atkins (no relation... probably) suggested, whenever someone's auth is bad for whatever reason I redirect them to the login page, possibly with an error message explaining what went wrong. I would never have imagined trying to solve this problem at the level you're suggesting, nor do I think it is particularly necessary, since every server side language can do a redirect by themselves. ~TJ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20081125/5f6738e3/attachment.htm>
Received on Tuesday, 25 November 2008 05:37:16 UTC