[Update: March 20, 2007] Before putting the finishing touches on this AJAX Login System / Control, I've decided to see just how secure it is by issuing a challenge. See if you can crack it...
[Update: February 26, 2007] For source code and an updated demo of the AJAX Login System described here, see - Compatibility with ASP.NET.
Let’s be honest, the sign in / login process that most web applications use is not extremely complex. Yet, most people would agree that it is more complex than it needs to be. And specifically, the user experience has a lot of room for improvement.
Typically, when a web application needs to authenticate a user, it will present them with a login form.
The form usually has two fields: one for the user’s name and one for their password. After a user fills out the form, they will press a button to login. This will usually redirect to another page which indicates the results of the login attempt. If the attempt was un-successful, this may be the same page with a message indicating that the user should try again.
Most users are familiar with this process and probably don’t find it overly complicated. What users probably do want to change is the amount of clicks and the amount of time that this signing in / logging in to a website takes.
One way to simplify this experience is by using a bit of AJAX. The idea is to keep the good aspects of the traditional sign in process, yet replace or improve the distasteful ones. With this in mind, here is a list of desired attributes for an AJAX login control which is simple to use by both web developers and end users:
- Very, Very Intuitive User Interface.
The user interface should have the minimum required functionality to provide user authentication. For example, there is no need to require a user to enter a username and email address when the email address is sufficient. It should also provide helpful messages about what is happening. If there is an error (i.e. – validation or authentication failure) the user should receive a friendly message indicating what happened without being re-directed to another page.
- Secure Without SSL.
It seems that the most popular, and probably the most effective way to secure the login process is via SSL. Any website that takes security seriously will most likely be using SSL for transmission of all sensitive data. However, SSL is really quite complex to configure and can also be expensive (especially for smaller web sites). I really believe that there are other ways to secure the login process that are much less complex and less expensive.
- URL Accessible Functionality.
A common problem with applications that use AJAX functionality is that some functionality is not accessible through a unique URL. Users should be able to access the basic sign in features via URL. These include, signing in, signing out, and creating an account.
- Easy, Very Easy to Add to Web Pages.
There should be no need to require an assembly, server control, or other installation in order to use the sign in control. Ultimately, it should be added to pages via a single line of HTML.
- (bonus) Usable with Any Membership System.
There are many different ways to store user information. Storing data in a specific way in order to be compatible with a sign in control or system should not be required. The server side authentication process should thus be membership provider independent.
- (bonus) Compatible with ASP.NET 2.0 Forms Authentication.
I would guess that the majority of ASP.NET 2.0 applications which require any type of authentication are using the default ASP.NET 2.0 Membership Schema. The reason is that there are solid tools that already exist (and are free) to leverage it . The Asp.net team at Microsoft has done an outstanding job with this piece of ASP.NET 2.0. With the built-in controls and navigable Membership, Role, and Profile APIs, adding membership capabilities to a web application has never been easier. Rather than require applications to change their Membership System, synergy should be created by enabling applications which use the ASP.NET 2.0 Membership System to easily use a simple AJAX sign in control.
Is it possible to create such an AJAX login control? Well, we are about to find out...