Usability Bugs

Understanding the subtle usability bugs
in everyday software, devices, and anything "designed".

Why not use HTTP usernames meaningfully?

Try typing yourusername@gmail.com in a browser. Go ahead, do it now. Though this looks like an email address, it is an equally valid Web URL[1]. The part before the hostname, yourusername, is interpreted by Web browsers as a username, and is passed to the web server as part of HTTP header information (WWW-Authenticate:)

GMail using usernames in the URL

So how about Web applications start using this meaningfully? Web mail services such as GMail and Yahoo! stand to benefit the most, since the username@host.com syntax looks exactly like an email address. By letting users type email addresses into the browser window, they can automatically pre-populate the username in the logon page that they display, so the user only has to type in a password. Other applications that display semi-public user information without requiring credentials can use the username to customize content. How about manastungare@orkut.com as a link to my Orkut profile?

This idea came up in a discussion with my advisor, Manuel Pérez-Quiñones. He mentioned that he saw a family member type their email address into a browser window, and before he could intercept and correct it, the right page had loaded anyway. Which brought us to the part where this information is discarded by the Web server, and how it could be used meaningfully to make the interaction more efficient through fewer keystrokes. Since such URLs can be bookmarked, the username need not be typed every single time.

Note that I'm not recommending sending passwords this way, because although that is possible, it is a security hazard. If not using SSL, these credentials are transmitted as plain text, and thus frowned upon. It's best to have the user type in the password at login time on a Web page directly, but there's no reason the username needs to be kept secret.

(In case you're wondering, the screen shot is fake; I simply typed in the URL after the page loaded. It's meant for illustration purposes only.)

[1]  Pedantically speaking, this isn't correct because RFC 1738 does not mention usernames in HTTP URLs. However, most browsers include support for HTTP Basic Authentication, and thus, this can be considered a de facto standard.

Labels: , , By Manas Tungare 0 comments Links to this post

Subscribe to: Posts (Atom)

About this Blog

I started this blog on World Usability Day 2006 to spread awareness of usability bugs in common software and designs, and to highlight the fact that these really are bugs, no less important than functionality bugs.

I'm a Ph.D. student in Human-Computer Interaction at Virginia Tech. During the past three Summers, I interned at Google, Mountain View. You can find more about me at manas.tungare.name.

Copyright © 2006 — 2007 and onwards, Manas Tungare.
Creative Commons License by-nc-sa-3.0