Proposed Tutorial on Login forms
|Reported by:||neek||Owned by:||neek|
|Keywords:||Cc:||iTorrey, sfoster, dylanks|
The issue of implementing a login form that triggers browser username/password autocompletion is a thorny subject. This is different to simply setting autocomplete=true on <input> fields.. the browser will still refuse to recognise it's a password submission, and offer to remember the username/password combination, if the fields were created dynamically.
The solution seems to be to:
- have the <form> and <input> fields it contains be loaded as plain html in the initial page load
- submit the form using traditional form submission
This means one cannot:
- use any _Templated dijits
- use ajax to submit the logon attempt
However, one _can_ have the contents in a _Templated dijit, thus building it into a dojo-esque user interface, using a little dojo.place() trickery.
- let the content be loaded with visibility:hidden and display:none as a direct child of <body>
- when required, dojo.place() it into the dijit of your choice
- if dijit is destroyed, dojo.place() it back to body.
- allow form submission to go ahead as normal.
http://dojo-sandbox.net/public/3046c/2 is a rough example of how to move the controls into a dijit.Dialog. The form submission won't work, but you can close/reopen the Dialog and it'll move the controls to/from the Dialog properly.
Main problems people will see with this are:
- the controls are not dijits and so do not get themed
- I found that when creating dijits in the hiddenLogin div, when they are dojo.place()'d back to body and then used again (i.e. open/close/open the dialog) their UI disappeared. e.g. http://dojo-sandbox.net/public/3046c/3 .. this might work with a little prodding, but I think then the browser wouldn't store the username/password as they would no longer be the original <input> fields being submitted. Perhaps people would suggest a workaround with hidden textboxes?
- cannot do dojo.xhrPost or similar ajax logon, so must completely re-load app, breaking single-page-per-app paradigm. However, because one would want to post to a https:// scheme and stay on https, and the app would most likely be loaded from http://, this might be seen as acceptable.
What do people think? Is this the right approach, and a suitable basis for a Tutorial?
Change History (4)
comment:1 Changed 13 months ago by dylan
- Cc changed from iTorrey,sfoster to iTorrey, sfoster
- Owner set to neek
- Status changed from new to pending
comment:2 Changed 12 months ago by trac-o-bot
- Resolution set to invalid
- Status changed from pending to closed