Ian Hickson wrote:
As can be seen in the feedback below, there is interest in improving the
experience with logging in and out of Web sites.
Currently there are two main mechanisms: HTTP authentication, and
cookie-based authentication with a form login.
Benefits of form authentication over HTTP authentication:
- supports creating an account
- supports recovering a lost password
- supports showing the login form inline with other content
- supports styling the login form
- supports an obvious way of logging out from within the page
Limitations of form authentication:
- no way to indicate that access is being denied because the credentials
passed were wrong or because there were no credentials passed
- insecure when unencrypted
It seems to me that the first limitation of form authentication could be
removed by inventing a new WWW-Authenticate challenge that means "reply to
the form in the page". I have now specified such a value in HTML5 (since
it is specific to entity bodies that contain HTML forms):
challenge = "HTML" [ form ]
form = "form" "=" form-name
form-name = quoted-string
(There's no "credentials" value for this scheme, since the login is done
as a POST to a login script and then the server sets proprietary login
information, like a cookie using Set-Cookie.)
So when you get to a page that expects you to be logged in, it return a
401 with:
WWW-Authenticate: HTML form="login"
...and there must be a <form> element with name="login", which represents
the form that must be submitted to log in.
We could also make HTTP login work better, but frankly I'm not convinced
there's much point. The form login cowpath is so commonly frequented that
not only has someone already gone and paved it but it has also been
tree-lined, has garbage collection scheduled for Tuesdays and Thursdays,
and will be electing a representative at the next general election.
As I said at the F2F meeting in France, I don't think this is the right
way to go. I think moving away from passwords and HTML logins are
absolutely necessary.
There are much better identity based authentication schemes out there.
Many do have problems, but these problems can be addressed.
While there is no such thing as an official mozilla position, I'm
personally not very interested in spending time on adding this feature.
I'd much rather find a identity based solution that significantly can
improve the current, really bad, situation regarding authentication.
/ Jonas
