On Wed, 15 Aug 2007 16:08:51 +0100, Julien TOUCHE
<[EMAIL PROTECTED]> wrote:
<input type="password" hash="sha256" name="mypass" />
so the browser transmits only the corresponding hash of the
given value.
Unfortunately this will not secure browsing session, because once user is
authenticated, server will have to use cookies which could be stolen and
used to impersonate the user.
My suggestion is to kill two birds with one stone by marrying forms with
Digest authentication (RFC 2617).
Digest is already implemented in browsers, doesn't require storage of
unhashed passwords, protects entire browsing session (with integrity
checking of payload and stopping replay attacks) and can provide mutual
authentication - it would be wasteful to re-invent and re-implement all
that for forms.
The dealbreaker in current Digest implementations is the user interface -
looks unfriendly, can't be customized, website can't offer account
registration until user cancels login and there's no logout mechanism.
This can be solved by providing form controls that would log user in using
Digest authentication:
<form method=digest>
<input type=hidden name=realm value="my realm">
<input type=text name=username>
<input type=password name=password>
</form>
or
<input id=myusernameid>
<input type=password authentication=digest realm="my realm"
username=myusernameid>
UI for logging out could be as simple as <button type=logout>, however
implementation details are probably outside scope of HTML 5.
--
regards, Kornel LesiĆski
