Is input validation for a login form overkill? Overhead + “too much javascript” concerns-Collection of common programming errors

3 years ago
admin
2 minutes

Would it be overkill to validate on blur (and on keyup only if the previous input was invalid) whether what is entered in the e-mail text field is an e-mail address, and that the password is of the minimum length (registration requires that the password be at least 6 characters)?

No it would not be overkill to validate on blur. It would be overkill to validate on keyup. I personally consider that annoying as a user.

I already coded the server-side logic to handle login, so not implementing the input validation would redirect to either the “valid input but incorrect” or “e-mail not in system” error pages.*

I would recommend againts such error pages but instead redirect to the login form again with an error report saying that such and such is invalid. Error messages should be used for valid data that is not matched in the database.

Currently, my system has a different notification for an incorrect e-mail/password combo than it does for an e-mail that’s not in the system. I notice many sites have the same message for both (something like: “user-name or password may be incorrect”), and many don’t.

Many systems can be more complex then you would expect. Some systems have no way to detect whether the user does not exist because they treat the user / password as a single entity. If you treat them differently feel free to give more information to the user.

Should I change my system to allow for ambiguity, or is it fine as is?)

I would recommend you give to error messages “user name is incorrect” and “user name or password is incorrect”. The user doesn’t need to be told that said user name does not exist in your database, it merely needs to know he typed the user name wrong.

Not to mention that waiting on a server round trip is significantly higher latency then local javascript feedback. If you used something like node.js you could even have your validation in one place and not have two copies of it maintained.

Originally posted 2013-11-09 20:46:13.