W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Solving the login/logout problem in HTML

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 25 Nov 2008 21:28:01 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0811252124330.17401@hixie.dreamhostps.com>
On Tue, 25 Nov 2008, Julian Reschke wrote:
> > 
> > Well for a piece of software of that scale, parsing the document using 
> > an off-the-shelf HTML parser and finding the first matching <form> 
> > element and then applying normal HTML semantics to get to the form 
> > fields seems like a pretty small task in comparison to the rest.
> 
> Well, that's what we have been doing.
> 
> I was looking forward where this could be used by somebody who isn't an 
> expert (think Microsoft Webfolder client or Apple WebDAV FS driver), and 
> where running an HTML parser (in the kernel?) would be problematic.

I wouldn't recommend running an HTTP parser in the kernel either. Anywhere 
where you can safely run an HTTP parser you can run an HTML parser too.


> > > So, on the other hand, if the login form is more complex than 
> > > username + password, what is a bot supposed to do with it?
> > 
> > I don't understand why it makes a difference what the form is like. It 
> > should apply whatever credentials it has been given -- whatever those 
> > might be, username/password, certificate, fake addressa and phone 
> > number, whatever, and submit the form. Just like a user.
> 
> To do that, it would need to *capture* that information somewhere. I was 
> assuming the whole point in the exercise was to avoid having to pop up 
> an HTML based UI...

Well if you don't have the credentials, you can't really login anyway.

If the request is to be able to take an HTML form and display it to the 
user as some other UI, then just apply the HTML semantics to the form to 
get the UI out. That's exactly what HTML is _for_: encoding media- and 
presentation-independent semantics.


> PS: But even if it doesn't help authenticating without an HTML based UI, 
> this could be useful because it allows non-interactive clients to 
> understand that they're looking at a login form, not the "real thing".

Indeed.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 25 November 2008 13:28:01 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC