[whatwg] Solving the login/logout problem in HTML

On Tue, 25 Nov 2008, Tab Atkins Jr. wrote:
> This bit confused the hell out of me.  Like Martin Atkins (no 
> relation... probably) suggested, whenever someone's auth is bad for 
> whatever reason I redirect them to the login page, possibly with an 
> error message explaining what went wrong.

You can still do that. You also have the opportunity to use a 401 on the 
login page itself.

> I would never have imagined trying to solve this problem at the level 
> you're suggesting, nor do I think it is particularly necessary, since 
> every server side language can do a redirect by themselves.

It may be that few enough people want to use the HTTP mechanisms for this 
that the feature will need to be removed when the spec progresses to the 
next level.

On Tue, 25 Nov 2008, Julian Reschke wrote:
> thanks a lot for this proposal which seems to go into the right 
> direction.
> I didn't yet have time to look into this in detail, but it currently 
> seems to require the UA to still parse the HTML page. Wouldn't it be 
> better of the *headers* of the response (such as WW-Authenticate, Link, 
> ...) would contain sufficient information to perform the login without 
> having to do that; such as a URI to POST to, plus the parameter names 
> for user name and password?

The problem is that you'd basically have to duplicate the entire form, 
since login forms can be arbitrarily complex. If the bot has the username 
and password, why not also give it the username field name, password field 
name, and login script url? Just consider them part of the credentials.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 25 November 2008 12:57:06 UTC