When coding a login interface it’s common to follow this pattern:
- POST data to a script that checks it and sets appropriate cookies
- On success redirect to the previous (or some other) page
- On error show that error or redirect to an error page
You do this so that users don’t get the annoying “resend data” pop-up if/when they reload the destination page. On the other hand this pattern exposes a usability issue when login data is correct but cookies are turned off.
For some reason my cookies were disabled today. That means that logging in to Twitter (that uses the previously described pattern) looked a bit weird. I’d log in, get redirected and end up on the home page again. Same thing happened on Mozilla Addons page. The very definition of recursion.
When I finally figured it out, I immediately thought of a solution. When you redirect from the post add something to the URL – that way the redirected page can check if you’re actually logged in and alert you if you’re not.
Now this has a few problems of its own:
- It exposes that you have an account on a specific service that can be detected with history sniffing.
- If you create a user based URL to circumvent the previous issue you might leak user information.
- If you reload the destination page after session expired you’ll get an alert that might be wrong itself (you would have to implement some server-side logic that checks if the session has just started).
With all this in mind I still think that redirecting to a different URL is better than leaving users without any information (no matter how uncommon having disabled cookies is).
How do YOU solve this?
Wouldn’t you want to split 1.) into
– check if user supports cookies
– set appropriate cookies
So that you can actually tell the user to check for cookies. At least that’s the way Django works.
Not sure what you mean by “check if users supports cookies” as you can’t really do that on the server unless you’re already expecting a cookie.
You could be setting a cookie when displaying the page with the login form and expecting that cookie to show up after POST, but that might also be an issue as cookies expire.
Django has a method for this:
http://docs.djangoproject.com/en/dev/topics/http/sessions/#setting-test-cookies
Run first method on showing login screen, so you can present a cookies related error after POST.
If user manages to lose that cookie in that time window, then he’ll have problems with your site anyway.