HTML-based HTTP form protocol , commonly referred to as formation-based authentication , is a technique in which a website uses a web form to collect, and then authenticates, the agent's credential information users, usually web browsers. (Note that the phrase "forms-based authentication" is unclear.) See form-based authentication for more details.)
Video HTTP+HTML form-based authentication
Ringkasan interaksi
The technical steps are:
- Unauthenticated user agents request web pages from websites, via the HTTP protocol.
- The website returns HTML web pages to unauthenticated user-agents. Web pages consist of at least HTML-based web forms that prompt users for their usernames and passwords, along with buttons labeled "login" or "send".
- The user fills in his username and password, then presses the submit button.
- The user agent sends web form data (which includes the username and password) to the web server.
- Website implementation, running on a web server, performing some verification and validation operations on web form data. If successful, the website considers the user agent to be authenticated.
Maps HTTP+HTML form-based authentication
Adoption considerations
Form-based HTTP HTML authentication is the most common user authentication technique used on the current World Wide Web. This is the preferred approach for all wikis, forums, banking/financial sites, e-commerce websites, Web search engines, web portals, and other common web-server applications.
This popularity is apparently due to their webmaster or employer who wants excellent control over the presentation and behavior of requests for user credentials, whereas the default pop-up dialog box (for HTTP basic authentication access or access authentication authentication) that many web browsers provide does not allow seam right. The desired accuracy can be motivated by company requirements (such as branding) or implementation issues (eg default configuration of website software such as MediaWiki, phpBB, Drupal, WordPress). Regardless of the reason, any company brand or user experience adjustment should not distract from some of the security considerations of this authentication process.
Security considerations
- User credentials are clearly communicated to the website, unless steps such as the use of Transport Layer Security (TLS) are retrieved.
- This technique is essentially an ad hoc one that effectively no interaction between the user agent and the web server, in addition to the standardized HTTP and HTML itself. The actual authentication mechanisms used by websites are, by default, unknown to users and user agents. The form itself, including the number of editable fields, and the content it wants from it, is entirely dependent implementation and deployment.
- This technique is inherently defamatory, or vulnerable to criminal posing as a trusted party in the authentication process. This is because it depends on the end user to accurately validate that they are accessing the correct URL every time to prevent sending their passwords to servers that are not trusted. Users often fail to do this, which is why Phishing has become the most common form of security breach.
Code
See also
- Authentication
- Basic access authentication
- Authentication of intest access
- Form-based authentication
- Sign in
Source of the article : Wikipedia
0 Comments