HTTP+HTML form-based authentication

HTTP+HTML form-based authentication, typically presently colloquially referred to as simply form-based authentication, is a technique whereby a website uses a web form to collect, and subsequently authenticate, credential information from a user agent, typically a web browser. (Note that the phrase "form-based authentication" is ambiguous. See form-based authentication for further explanation.)

Interaction summary

The steps of the technique are:

Adoption considerations

HTTP+HTML form-based authentication is arguably the most prevalent user-authentication technique employed on the World Wide Web today. It is the approach of choice for essentially all wikis, forums, banking/financial websites, e-commerce websites, Web search engines, Web portals, and other common web-server applications.

This popularity is apparently due to webmasters or their employers wanting fine-grained control over the presentation and behavior of the solicitation for user credentials, while the default pop-up dialog boxes (for HTTP basic access authentication or digest access authentication) that many web browsers provide do not allow precise tailoring. The desired precision may be motivated by corporate requirements (like branding) or implementation issues (e.g., the default configuration of website software like MediaWiki, phpBB, Drupal, WordPress). Regardless of rationale, any corporate branding or user-experience adjustments must not distract from several security considerations of this authentication process.

Security considerations

Code

<form method="post" action="/login">
  <input type="text" name="username" required>
  <input type="password" name="password" required>
  <input type="submit" value="Login">
</form>

See also

This article is issued from Wikipedia - version of the Friday, August 09, 2013. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.