- HTTP+HTML Form based authentication
HTTP+HTML Form based authentication, typically presently colloquially referred to as simply Form based authentication (which in actuality is
ambiguous , seeform based authentication for furtherexplanation ), is atechnique whereby awebsite uses aweb form to collect, and subsequentlyauthenticate ,credential information from auser agent , typically aweb browser wielded by auser .Interaction Summary
The salient steps in this technique are:
* An unauthenticated
user agent requests awebpage from awebsite , via theHTTP protocol.* The
website returns anHTML web page to the unauthenticateduser agent . Saidwebpage is minimally crafted using a HTML-based web form to prompt theuser forusername andpassword , and to present a button typically labeled "login" or "submit".* The
user causes thewebform to be filled in withusername andpassword , and then causes the submit button to be invoked.* The
user agent conveys theweb form data, i.e.username andpassword , to theweb server .* The
website implementation , running on theweb server , then typically performs someverification andvalidation operations on the conveyedweb form data, resulting in theuser (or, more properly, theuser agent ), being authenticated, from thewebsite 'sperspective , if said operations were successful.Adoption Considerations
HTTP+HTML Form-based Authentication is arguably the most prevalent user authentication technique employed on
the Web today. It is the approach of choice for essentially allwiki s, forums, banking/financialwebsites ,ecommerce websites, Websearch engines ,Web portal s, etc.The overarching reason for this is apparently that the
websites , whether by dint of simple implementation (e.g. the default configuration of website software, e.g.mediawiki ,phpbb ,drupal ,wordpress , and commercial alternatives, etc.), or bycorporate desires, e.g.branding , wish to have fine-grained control over the presentation and behavior of the solicitation for user credentials -- and the default popup dialog boxes provided byweb browser s when HTTPBasic access authentication orDigest access authentication are employed (presently) don't allow for such tailoring on the part of thewebsite provider.Note that this -- the credence given to "
user experience ", not to mentionbranding , what the less charitable would term "simplyeye candy " -- is done in the face of the security considerations enumerated below.ecurity Considerations
* The user credentials are conveyed
in the clear to thewebsite , unless steps such as employment oftransport layer security (TLS) are taken.* The technique is essentially
ad-hoc in that effectively none of the interactions between theuser agent and thewebserver , other thanHTTP andHTML themselves, arestandardized . The actual authenticationmechanism employed by thewebsite is unknown to theuser and theuser agent . The form itself, including the number of editable fields, and desired content thereof, are entirelyimplementation - and deployment-dependent.* This technique is inherently phishable. This is a major, pragmatic, consideration given the present-day prevalence of
phishing .ee Also
*
Authentication
*Basic access authentication
*Digest access authentication
*Form based authentication
*Login
Wikimedia Foundation. 2010.