outbreak

Me

My name is Marko Mrdjenovič. I’m a web developer, manager and an entrepreneur from Ljubljana, Slovenia.

Bio

I like solving problems. I do that by writing code, managing projects and people. I like creating good experiences. And going to conferences.

Availability

I work full time on Klevio so I'm currently not available for freelance work (UX, frontend, backend).

Elsewhere:
LinkedIn
Twitter
Facebook
Quora
Flickr

Archives

Login code pattern

When coding a login interface it’s common to follow this pattern:

  1. POST data to a script that checks it and sets appropriate cookies
  2. On success redirect to the previous (or some other) page
  3. On error show that error or redirect to an error page

You do this so that users don’t get the annoying “resend data” pop-up if/when they reload the destination page. On the other hand this pattern exposes a usability issue when login data is correct but cookies are turned off.

For some reason my cookies were disabled today. That means that logging in to Twitter (that uses the previously described pattern) looked a bit weird. I’d log in, get redirected and end up on the home page again. Same thing happened on Mozilla Addons page. The very definition of recursion.

When I finally figured it out, I immediately thought of a solution. When you redirect from the post add something to the URL – that way the redirected page can check if you’re actually logged in and alert you if you’re not.

Now this has a few problems of its own:

  1. It exposes that you have an account on a specific service that can be detected with history sniffing.
  2. If you create a user based URL to circumvent the previous issue you might leak user information.
  3. If you reload the destination page after session expired you’ll get an alert that might be wrong itself (you would have to implement some server-side logic that checks if the session has just started).

With all this in mind I still think that redirecting to a different URL is better than leaving users without any information (no matter how uncommon having disabled cookies is).

How do YOU solve this?

Enhanced by Zemanta

Opinions

express yours below
  1. Jure

    Wouldn’t you want to split 1.) into

    – check if user supports cookies
    – set appropriate cookies

    So that you can actually tell the user to check for cookies. At least that’s the way Django works.

  2. Marko Mrdjenovic

    Not sure what you mean by “check if users supports cookies” as you can’t really do that on the server unless you’re already expecting a cookie.

    You could be setting a cookie when displaying the page with the login form and expecting that cookie to show up after POST, but that might also be an issue as cookies expire.

Express your opinion