Best practices for login form modal window

Question

Hello,

I want my web site to open login form in a modal div window (like thickbox works). So I see 2 questions here:

1. Client validation - should I send from javascript plain login & password in POST request to the server? Is it safe to do so?
2. Using of IFrame. Login link will be on every page in top right corner, so I'm just thinking about avoiding CSS styles collisions and ruining DOM model. What is a best practice here - should I use IFrame or not?

Answer 1

When sending any user name and password you should always send over https (if you're using javascript, you could also hash it on the client side rather than on the server side, but I usually leave that sort of processing to the server side). But using https is an absolute must.

As for the iFrame, I prefer using a standard include on a page with navigation menus and anything else that appears on all pages. Unless you have a need for frames, I'd avoid them since they may render differently on different browsers.

Answer 2

1. Sending credentials is safe as long as the POST request is using HTTPS.

2. I would use jQuery UI's dialog widget. Because it uses jQuery underneath, you can be fairly certain it will be supported across every popular browser. Either way, avoid using an iframe if at all possible.