On Mon, 13 Feb 2012 17:10:47 -0800, K. Peachey p858snake@gmail.com wrote:
On Tue, Feb 14, 2012 at 10:38 AM, Shivansh Srivastava shivansh.bits@gmail.com wrote:
- jQuery drop menu for login - (
https://svn.wikimedia.org/svnroot/mediawiki/trunk/mockups/ajax-mockups/Login...)
- Can be integrated with AJAX for an on the page account validation or
creation; without having to go to a different page. (
I believe we had a GSOC project not long ago (Last year?) to improve the login progress (including the AJAX side of things and API support for it). Although for security reasons I believe we would want to leave the Login stuff on it's own page (for security reasons).
The idea that login is secure because it's on a separate page than the rest of the site is actually an old mistake. If a script is included ANYWHERE on the site on the same domain then it's possible to inject in some code that will fake pageviews in a way that will let an attacker have a running script when the user follows the login link to the login page. So there isn't really any security advantage of a separate login page over an ajax login. (well ;) unless you're using the separate login page because you have js disabled, then you're safe, heh)