Closed. This question needs to be more focused. It is not currently accepting answers.
The definitive guide to form-based website authentication, Form-based authentication for websites. We believe that Stack Overflow should not just be a resource for very specific technical questions, but also for general� The reality today is that most websites use form-based authentication 3. Form-based authentication has a big drawback, which is increased risk of phishing. Users are asked to enter sensitive information into an area controlled by a remote entity, rather than an area controlled by their User Agent (browser). The definitive guide to forms based website authentication � GitHub, It is possible to prevent browsers from storing/retrieving a password with the autocomplete tag for forms/input fields. However in the real world,� HTTP+HTML form-based authentication, typically presently colloquially referred to as simply form-based authentication, is a technique whereby a website uses a web form to collect, and subsequently authenticate, credential information from a user agent, typically a web browser. (Note that the phrase "form-based authentication" is ambiguous.
First, a strong caveat that this answer is not the best fit for this exact question. It should definitely not be the top answer!
I will go ahead and mention Mozilla’s proposed
BrowserID (or perhaps more precisely, the Verified Email Protocol) in the spirit of finding an upgrade path to better approaches to authentication in the future.
I’ll summarize it this way:
Mozilla is a nonprofit with
values that align well with finding good solutions to this problem. The reality today is that most websites use form-based authentication
Form-based authentication has a big drawback, which is an increased risk of
phishing. Users are asked to enter sensitive information into an area controlled by a remote entity, rather than an area controlled by their User Agent (browser). Since browsers are implicitly trusted (the whole idea of a User Agent is to act on behalf of the User), they can help improve this situation.
The primary force holding back progress here is
deployment deadlock. Solutions must be decomposed into steps which provide some incremental benefit on their own. The simplest decentralized method for expressing an identity that is built into the internet infrastructure is the domain name.
As a second level of expressing identity, each domain manages its own set of accounts.
The form "account
@domain" is concise and supported by a wide range of protocols and URI schemes. Such an identifier is, of course, most universally recognized as an email address.
Email providers are already the de-facto primary identity providers online. Current password reset flows usually let you take control of an account if you can prove that you control that account’s associated email address.
The Verified Email Protocol was proposed to provide a secure method, based on public key cryptography, for streamlining the process of proving to domain B that you have an account on domain A.
For email services that don’t support the Verified Email Protocol, the protocol allows third parties to act as a trusted intermediary, asserting that they’ve verified a user’s ownership of an account. It is not desirable to have a large number of such third parties; this capability is intended only to allow an upgrade path, and it is much preferred that email services provide these assertions themselves.
Mozilla offers their own service to act like such a trusted third party. Service Providers (that is, Relying Parties) implementing the Verified Email Protocol may choose to trust Mozilla's assertions or not. Mozilla’s service verifies users’ account ownership using the conventional means of sending an email with a confirmation link.
Service Providers may, of course, offer this protocol as an option in addition to any other method(s) of authentication they might wish to offer.
A big user interface benefit being sought here is the "identity selector". When a user visits a site and chooses to authenticate, their browser shows them a selection of email addresses ("personal", "work", "political activism", etc.) they may use to identify themselves to the site.
Another big user interface benefit being sought as part of this effort is
helping the browser know more about the user’s session – who they’re signed in as currently, primarily – so it may display that in the browser chrome. Because of the distributed nature of this system, it avoids lock-in to major sites like Facebook, Twitter, Google, etc. Any individual can own their own domain and therefore act as their own identity provider.
This is not strictly "form-based authentication for websites". But it is an effort to transition from the current norm of form-based authentication to something more secure: browser-supported authentication.
The definitive guide to forms based website authentication, Well, this is weird. I created this question when StackOverflow was just out of beta , hoping to steer it to more broader questions - guides, if you� Form-based authentication for websites We believe that Stack Overflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. "Form based authentication for websites" should be a fine topic for such an experiment. It should include topics such as:
I just thought I'd share this solution that I found to be working just fine.
I call it the
Dummy Field (though I haven't invented this so don't credit me).
In short: you just have to insert this into your
<form> and check for it to be empty at when validating:
<input type="text" name="email" style="display:none" />
The trick is to fool a bot into thinking it has to insert data into a required field, that's why I named the input "email". If you already have a field called email that you're using you should try naming the dummy field something else like "company", "phone" or "emailaddress". Just pick something you know you don't need and what sounds like something people would normally find logical to fill in into a web form. Now hide the
don't set the input
hidden or else the bot won't fall for it.
When you are validating the form (either client or server side) check if your dummy field has been filled to determine if it was sent by a human or a bot.
In case of a human:
The user will not see the dummy field (in my case named "email") and will not attempt to fill it. So the value of the dummy field should still be empty when the form has been sent. In case of a bot: The bot will see a field whose type is
text and a name
email (or whatever it is you called it) and will logically attempt to fill it with appropriate data. It doesn't care if you styled the input form with some fancy CSS, web-developers do it all the time. Whatever the value in the dummy field is, we don't care as long as it's larger than
I used this method on a guestbook in combination with
CAPTCHA, and I haven't seen a single spam post since. I had used a CAPTCHA-only solution before, but eventually, it resulted in about five spam posts every hour. Adding the dummy field in the form has stopped (at least until now) all the spam from appearing.
I believe this can also be used just fine with a login/authentication form.
Warning: Of course this method is not 100% foolproof. Bots can be programmed to ignore input fields with the style
display:none applied to it. You also have to think about people who use some form of auto-completion (like most browsers have built-in!) to auto-fill all form fields for them. They might just as well pick up a dummy field.
You can also vary this up a little by leaving the dummy field visible but outside the boundaries of the screen, but this is totally up to you.
Website Authentication: The Complete Guide with FAQs, Which is the most effective form of web authentication? What are some website� Form Based Authentication For Websites. Please help us create the definitive resource for this topic. We believe that stackoverflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. HTTP+HTML form-based authentication, HTTP+HTML form-based authentication, typically presently colloquially referred to as simply form-based authentication, is a technique whereby a website uses a � Monday night massacre, what a game and a team! Vick, Shady, Djax, Maclin poor #5 watching helplessly on skins sidel… twitter.com/i/web/status/1… Form-based authentication, Form-based authentication is a term of art in the context of Web- and Internet- based online networked computer systems. In general, it refers to the notion of a � security - The definitive guide to form-based website authentication; language agnostic - Security/Authentication for Plugin Architecture; security - Symfony 2 - hide the whole website with a HTTP Authentication dialog; java - Glassfish 3 security - Form based authentication using a JDBC Realm The definitive guide to form-based website authentication, Covers many important aspects of The definitive guide to form-based website authentication but does not cover the specifics of application platforms. I've often found "The definitive guide to form-based website authentication" useful. And having struggled to understand OAuth 2.0 in the past, I believe a similar post for OAuth 2.0 would be useful too. So in principle, I would like to have this as a canonical Q&A. Many websites use OAuth 2.0.
Understanding Login Authentication, In general, the following steps are necessary to add form-based authentication to a Web client. In the example application included with this tutorial, most of� - The definitive guide to form-based website authentication - based on information obtained 2016-08-10 This page (revision-11) was last changed on 23-Sep-2019 13:08 by jim Top Main page
Comments Why exclude HTTP Basic Authentication? It can work in HTML Forms via Ajax: peej.co.uk/articles/http-auth-with-html-forms.html HTTP Basic Auth has the property of being (comparatively) difficult to make a browser forget. It's also horribly insecure if you don't use it with SSL to secure the connection (i.e., HTTPS). I think it'd be worth talking about sessions (including fixation and hijacking) cookies (the secure and http only flags) HTTP based SSO The super-useful
Wow. Lengthy answers, dozens of upvotes for some of them, yet nobody mentions the common mistake of serving login forms over HTTP. I've even argued with people who said "but it submits to https://..." and only got blank stares when I asked if they were sure an attacker didn't rewrite the non-encrypted page the form was served over. Well, I don't really agree with the Captcha part, yes Captchas are annoying and they can be broken (except recaptcha but this is barely solvable by humans!) but this is exactly like saying don't use a spam filter because it has less than 0.1% false negatives .. this very site uses Captchas, they are not perfect but they cut a considerable amount of spam and there's simply no good alternative to them @Jeff: I'm sorry to hear that you have issues with my reply. I didn't know there was a debate on Meta about this answer, I would have gladly edited it myself if you'd asked me to. And deleting my posts just deleted 1200 reputation from my account, which hurts :( "After sending the authentication tokens, the system needs a way to remember that you have been authenticated - this fact should only ever be stored serverside in the session data. A cookie can be used to reference the session data." Not quite. You can (and should, for stateless servers!) use a cryptographically signed cookie. That's impossible to forge, doesn't tie up server resources, and doesn't need sticky sessions or other shenanigans. "a desktop PC can search the FULL KEYSPACE up to 7 characters in less than 90 days" A machine with a recent GPU can search the full 7 char keyspace in less than 1 day. A top of the line GPU can manage 1 billion hashes per second. golubev.com/hashgpu.htm This leads to some conclusions about password storage which aren't directly addressed. I'm surprised CSRF protection hasn't been mentioned... Given the recent MITM vulnerability surrounding signed SSL certificates ( blog.startcom.org/?p=145) so a combination of SSL and some kind of Challenge response authentication (There are alternatives to SRP) is probably a better solution. a lot of this stuff is situational. i tend not to use session cookies at all. cookies getting hijacked is almost always the servers fault. man in the middle / packet sniffing arent that common