views:

2596

answers:

6

My web application has a login page that submits authentication credentials via an AJAX call. If the user enters the correct username and password, everything is fine, but if not, the following happens:

  1. The web server determines that although the request included a well-formed Authorization header, the credentials in the header do not successfully authenticate.
  2. The web server returns a 401 status code and includes one or more WWW-Authenticate headers listing the supported authentication types.
  3. The browser detects that the response to my call on the XMLHttpRequest object is a 401 and the response includes WWW-Authenticate headers. It then pops up an authentication dialog asking, again, for the username and password.

This is all fine up until step 3. I don't want the dialog to pop up, I want want to handle the 401 response in my AJAX callback function. (For example, by displaying an error message on the login page.) I want the user to re-enter their username and password, of course, but I want them to see my friendly, reassuring login form, not the browser's ugly, default authentication dialog.

Incidentally, I have no control over the server, so having it return a custom status code (i.e., something other than a 401) is not an option.

Is there any way I can suppress the authentication dialog? In particular, can I suppress the Authentication Required dialog in Firefox 2 or later? Is there any way to suppress the Connect to [host] dialog in IE 6 and later?


Edit
Additional information from the author (Sept. 18):
I should add that the real problem with the browser's authentication dialog popping up is that it give insufficient information to the user.

The user has just entered a username and password via the form on the login page, he believes he has typed them both correctly, and he has clicked the submit button or hit enter. His expectation is that he will be taken to the next page or perhaps told that he has entered his information incorrectly and should try again. However, he is instead presented with an unexpected dialog box.

The dialog makes no acknowledgment of the fact he just did enter a username and password. It does not clearly state that there was a problem and that he should try again. Instead, the dialog box presents the user with cryptic information like "The site says: '[realm]'." Where [realm] is a short realm name that only a programmer could love.

Web broswer designers take note: no one would ask how to suppress the authentication dialog if the dialog itself were simply more user-friendly. The entire reason that I am doing a login form is that our product management team rightly considers the browsers' authentication dialogs to be awful.

A: 

I think it's just good practice to give the user another attempt to be able to try to login again. I think the dialog box will only appear three times.

RedWolves
+1  A: 

What server technology do you use and is there a particular product you use for authentication?

Since the browser is only doing its job, I believe you have to change things on the server side to not return a 401 status code. This could be done using custom authentication forms that simply return the form again when the authentication fails.

jan.vdbergh
+2  A: 

I don't think this is possible -- if you use the browser's HTTP client implementation, it will always pop up that dialog. Two hacks come to mind:

  1. Maybe Flash handles this differently (I haven't tried yet), so having a flash movie make the request might help.

  2. You can set up a 'proxie' for the service that you're accessing on your own server, and have it modify the authentication headers a bit, so that the browser doesn't recognise them.

Marijn
"Not possible" appears to be the correct answer, although I suspect that the "proxie" hack would do the trick.
dgvid
A: 

Agreed. If an HTTP 401 status code is sent to the browser, it would be bad design not to display some sort of feedback to the user. It just makes sense to ask for a username and password. What about 403 forbidden?

J D OConal
A: 

in mozilla u can achieve it by the following script when u create the XMLHttpRequest object

xmlHttp=new XMLHttpRequest();
xmlHttp.mozBackgroundRequest = true; xmlHttp.open("GET",URL,true,USERNAME,PASSWORD); xmlHttp.send(null);

the 2nd line prevents the dialog box....

This appears to do nothing under Firefox 2. It results in a DOM security error, NS_ERROR_DOM_SECURITY_ERR code 1000, under Firefox 3.
dgvid
+1  A: 

In Mozilla land, setting the mozBackgroundRequest parameter of XMLHttpRequest (docs) to true suppresses those dialogs and causes the requests to simply fail. However, I don't know how good cross-browser support is (including whether the the quality of the error info on those failed requests is very good across browsers.)

rakslice