Apparently, writing a login page that works is Hard

[torkell]

This morning I'd just finished reading a book on the Kindle and since I hadn't yet turned my computer on, I decided to quickly check my email from the Kindle. Now, the webhost has a webmail service and the Kindle has a web browser so this should all work. Unfortunately, since I last used it the webhost has upgraded to the latest and shiniest version of cPanel, wherein the only visible difference is a shiny new login page. So, enter username, enter password, select login button... and absolutely nothing happens. The Kindle will happily highlight the button as something that can be clicked on, but whatever Javascript monstrosity is actually powering the login page prevents me from, well, logging in.

Later, for a laugh, I decided to try the Wii's browser (which is based on Opera). After persuading it to connect to the webmail address (hint: if you want to connect to a non-standard port, you have to enter the full URL including the "http://" bit) I then entered my username and password and selected the login button. At which point everything on the page disappeared except for the background image. I suppose this is a slight improvement on the Kindle. Actually if you then reload the page it seems to work, but I only tripped across that by accident when hitting the Wii browser's "change layout" button.

So I pulled up the source of the login page to try and work out just how they've managed to break such a simple thing. What seems to happen when you click the login button, some Javascript takes over and sends an AJAX request off. When the response comes back it'll display a message and if the login was successful redirect to the webmail interface a few moments later.

It's all shiny and AJAXy and Web 2.0 and completely pointless, not to mention broken in at least two web browsers. What was wrong with just using a server-side redirect (like the previous version did)? For that matter, what was wrong with using HTTP-based authentication (like the version before did)?

Oh, and in Internet Explorer 8 the background image on the login page doesn't show up. That's not due to a browser bug, but rather it's a deliberate decision in the CSS.

Comments

[crschmidt.livejournal.com]

It's possible (though unlikely) that Javascript is being used to do a client-side password hash, rather than sending the password in the raw to the server. However, since both the Kindle and the Wii support Javascript enough to do that, there's absolutely no excuse to not still support submitting the form in a normal way; it's just an explanation of why there is a plausible explanation of Javascript being involved at all.

[torkell]

That would be a sensible reason (and I recall LJ do such a thing), but the Javascript just submits the password in the clear. The sole purpose of the Javascript is to do the login via AJAX.

There is fallback support for Javascript being disabled (via noscript tags and an actual action for the form to submit to). So it'd probably work on the Kindle if I disabled Javascript, but that's not something I should have to do.

[crschmidt.livejournal.com]

Yeah, LJ did it at a time when they weren't convinced using SSL for the form submission was going to work (they were worried about CPU load on the server). Then they added an SSL for only their login page, and if you chose to go HTTP they still did it in Javascript. Dunno where they are now -- I don't pay that much attention anymore.

Shame that it's not something reasonable, but since the reasonable thing wouldn't have failed, I'm not surprised.

Even using Gmail works on the Kindle, so it's a real shame that apps which presumably take advantage of significantly less Javascript can't be made to work by the people who write them.