Custom Login Forms

You can use a login form by embedding the user name and password into the submitted link. This can be done using the onsubmit action of the submit button to modify the link when the user clicks on it. The disadvantage is that the once the page is returned the username and password will appear in the user's typein location bar. This means it can be bookmarked. The workaround is to use an intermediate page meta-refresh with a delay of zero to the actual user viewable page. This will move the page fast enough that the user will not book mark it. A side effect of this technique is that the back button will not work because the user will be going back one page which then goes forward again. An additional consideration is that the user visible page cannot be in a protected area because the browser does not send referrer information on the meta-refresh request. A request to a protected area will fail on such a request because of the referrer check mechanism.

An example of the required final link when using a form is: /?path=

Please note that user names and passwords containing the '@' or ':' characters will have to be escaped if a custom login form is to be used. This is necessary because some browsers interpret the first '@' symbol found in a link as the transition to the host part of the url and the first ':' symbol as the separator between the username and password . We actually do encourage the use of email addresses as user names because real email addresses are guaranteed to be unique by definition. They are also easy to remember. Of course, using symbols in passwords has always been a key recommendation for secure passwords.

The substitutions are:

'@' = chr(254) ':' = chr(255)

Thus the username/password combination:

'' is changed to: 'someone.important^|word'


'^' = chr(254) '|' = chr(255)

These are believed to be safe because they are not normally available directly from a keyboard and thus are not likely to be used by anyone for a user name or password. These transformations are handled properly in the example login page code that is provided to you.

*Example reference link goes here.


Meta-Refresh Directives
Login Process
table of contents
full printable document





password protection ...
... industrial strength
distributed password protection
iis basic authentication
iis digest authentication

copyright(c) 2003
all rights reserved

design -