W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2008

[whatwg] Solving the login/logout problem in HTML

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 26 Nov 2008 11:14:04 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0811261111490.17401@hixie.dreamhostps.com>
On Wed, 26 Nov 2008, Julian Reschke wrote:
> Ian Hickson wrote:
> > > Anyway, if it's out of sync, authentication is not going to work, so 
> > > it should be noticed quickly.
> > 
> > On the contrary, authentication is going to work fine for 99% of users 
> > and it's only when a lone user tries using a bot that it'll break.
> Yes, that's what I meant: it will not work for the bot. We apparently 
> disagree how frequently this is going to be used.


On Wed, 26 Nov 2008, Julian Reschke wrote:
> > 
> > Do you have a concrete example where the login form is complex in a 
> > manner where the fields can't be identified and there is reason to 
> > believe that a bot will want to authenticate but won't have been given 
> > enough information to do so?
> Well, it was you stating that the form could be arbitrarily complex.

It can, yes. HTML allows arbitrarily complex forms, and we don't want to 
limit login forms to just two fields and a button. (I regularly log in to 
systems where the login forms are two text fields and a checkbox, or two 
text fields and a drop down, or five or so text fields. But in none of 
these cases would I personally expect a bot to ever have my credentials.)

> If it's just two text fields, one of which of type password, then no, it 
> wouldn't be hard.


Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 November 2008 03:14:04 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:07 UTC