HTTP+HTML Form based authentication

HTTP+HTML Form based authentication

HTTP+HTML Form based authentication, typically presently colloquially referred to as simply Form based authentication (which in actuality is ambiguous, see form based authentication for further explanation), is a technique whereby a website uses a web form to collect, and subsequently authenticate, credential information from a user agent, typically a web browser wielded by a user.

Interaction Summary

The salient steps in this technique are:

* An unauthenticated user agent requests a webpage from a website, via the HTTP protocol.

* The website returns an HTML web page to the unauthenticated user agent. Said webpage is minimally crafted using a HTML-based web form to prompt the user for username and password, and to present a button typically labeled "login" or "submit".

* The user causes the webform to be filled in with username and password, and then causes the submit button to be invoked.

* The user agent conveys the web form data, i.e. username and password, to the web server.

* The website implementation, running on the web server, then typically performs some verification and validation operations on the conveyed web form data, resulting in the user (or, more properly, the user agent), being authenticated, from the website's perspective, if said operations were successful.

Adoption Considerations

HTTP+HTML Form-based Authentication is arguably the most prevalent user authentication technique employed on the Web today. It is the approach of choice for essentially all wikis, forums, banking/financial websites, ecommerce websites, Web search engines, Web portals, etc.

The overarching reason for this is apparently that the websites, whether by dint of simple implementation (e.g. the default configuration of website software, e.g. mediawiki, phpbb, drupal, wordpress, and commercial alternatives, etc.), or by corporate desires, e.g. branding, wish to have fine-grained control over the presentation and behavior of the solicitation for user credentials -- and the default popup dialog boxes provided by web browsers when HTTP Basic access authentication or Digest access authentication are employed (presently) don't allow for such tailoring on the part of the website provider.

Note that this -- the credence given to "user experience", not to mention branding, what the less charitable would term "simply eye candy" -- is done in the face of the security considerations enumerated below.

ecurity Considerations

* The user credentials are conveyed in the clear to the website, unless steps such as employment of transport layer security (TLS) are taken.

* The technique is essentially ad-hoc in that effectively none of the interactions between the user agent and the webserver, other than HTTP and HTML themselves, are standardized. The actual authentication mechanism employed by the website is unknown to the user and the user agent. The form itself, including the number of editable fields, and desired content thereof, are entirely implementation- and deployment-dependent.

* This technique is inherently phishable. This is a major, pragmatic, consideration given the present-day prevalence of phishing.

ee Also

*Authentication
*Basic access authentication
*Digest access authentication
*Form based authentication
*Login


Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Form based authentication — is presently (i.e. early in the 21st century) employed as a term of art in the context of Web and Internet based online networked computer systems. In general, it refers to the notion of a user being presented with an editable form to fill in and …   Wikipedia

  • Digest access authentication — HTTP Persistence · Compression · HTTPS Request methods OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT Header fields Cookie · ETag · Location · Referer DNT · …   Wikipedia

  • Authentication — (from Greek αυθεντικός; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic , that is, that claims made by or about the thing are true. This might involve confirming the identity… …   Wikipedia

  • HTTP cookie — HTTP Persistence · Compression · HTTPS Request methods OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT Header fields Cookie · ETag · Location · Referer DNT · …   Wikipedia

  • Protected Extensible Authentication Protocol — PEAP is also an acronym for Personal Egress Air Packs. Protected Extensible Authentication Protocol, Protected EAP, or simply PEAP (pronounced peep ), is a method to securely transmit authentication information, including passwords, over wired or …   Wikipedia

  • Visitor Based Network — What is a Visitor based Network (VBN)? A Visitor based network (VBN) is a network designed for mobile users in need of temporary Internet service. A visitor based network is most commonly established in hotels, airports, convention centers,… …   Wikipedia

  • Extensible Authentication Protocol — Extensible Authentication Protocol, or EAP, is a universal authentication framework frequently used in wireless networks and Point to Point connections. It is defined in RFC 3748, which has been updated by RFC 5247. Although the EAP protocol is… …   Wikipedia

  • List of HTTP status codes — The following is a list of HTTP response status codes and standard associated phrases, intended to give a short textual description of the status. These status codes are specified by RFC 2616, along with additional codes (RFC 2518, RFC 2817, RFC… …   Wikipedia

  • Role-based access control — In computer systems security, role based access control (RBAC) [cite conference author = Ferraiolo, D.F. and Kuhn, D.R. title = Role Based Access Control booktitle=15th National Computer Security Conference year = 1992 month = October pages=554… …   Wikipedia

  • Web-Based Enterprise Management — (WBEM) is a set of systems management technologies developed to unify the management of distributed computing environments. WBEM is based on Internet standards and Distributed Management Task Force (DMTF) open standards: Common Information Model… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”