Embedded Login Forms

Occasionally I get an email asking for a solution to a problem that happens to be something on my mind at that time.

Yesterday it was embedded login forms. You see them everywhere but never in Domino sites. You know the ones I mean? You visit a site you're not logged in to and every page has a name/password login form on it. Take iStockPhoto.com for example. The homepage has a login form, as do all subsequent pages, like this one.

I want to do this in Domino and I want to do it from within the current database. What I don't want to do is use domcfg.nsf. Using domcfg.nsf limits you to one design and I want to keep the form within the context of the current database. Has anybody done this already?

My current thinking is that I'll use a simple embedded form that GETs a URL which passes the user credentials to a "login" agent. This agent simply re-directs the user back to the current page (HTTP_Referer). If the login was a success the embedded form is no longer there (hide-whens). The URL would simply be (for session-based authentication):


I know what you're thinking. That's a plain text password in a URL! Well, whichever way you authenticate the password is send as plain text. Hopefully using a GET form and a URL replace will mean it never appears in the address bar or in the history. I've not tried or tested this yet, but I'm confident it will work. Watch this space.


    • avatar
    • Chris
    • Thu 23 Jun 2005 18:43

    why would post not work?

    • avatar
    • Andrew Tetlaw
    • Thu 23 Jun 2005 19:57

    Or you could follow this advice:

    "Just create a login form called $$LoginUserForm (this is one of those "the name makes the functionality" special form names) for your applications. This form will be used for each database in which it resides and you can customize it as you like."

    Also in domcfg.nsf you creat form mappings one for each virtual host, so different designs are possible.

    • avatar
    • Yuval
    • Thu 23 Jun 2005 20:10

    I guess hidden iframe contains the domcfg and some JS can do the trick

  1. I have to agree with Chris on this one. Why not use a form with post-data. I've been using that on my dominobased site for some time now. Works like a charm.

    • avatar
    • Nick
    • Fri 24 Jun 2005 02:01

    I just create a subform and close the domino form and start a post form with an action of /names.nsf?login, username and password fields, a field called redirectTo with contains the url to return to after login, usually the url of the current page and a submit button. I then hide this subform when the user is logged in. Hope that helps

    • avatar
    • Lucio
    • Fri 24 Jun 2005 03:13

    Hi Jake, with Domino 6 you can create as many login forms as you need, in the database of the site that you are developing, and then you can map it in the Domcfg.nsf database.

    I'm using this with many sites we host on our Domino server.


    • avatar
    • Lucio
    • Fri 24 Jun 2005 03:14

    Sorry, I forgot to say you've to enable Session authentication on server.

    Hope this helps.

    • avatar
    • Jake Howlett
    • Fri 24 Jun 2005 06:10

    Thanks guys. I was hoping for lots of "It's possible and easy" responses like this. I'll investigate and write more about it later on...

  2. Lucio is right. But you should never send passwords in plain text. In domcfg.nsf you can configure the database that holds the login form. For that database only, you tick the box to "require SSL" in the db properties. assuming you have SSL enabled the passwrod will be protected.


    • avatar
    • Dick Norman
    • Fri 24 Jun 2005 07:59

    I like Nick's unhidden/hidden subform idea, but I would probably use SSL Ajax to talk to the back-end.

  3. Mark Barton and I used a simple HTML subform to POST to a java agent in a project we teamed up on last year. You could POST to a regular agent as well. It seemed easiest at the time to go oldschool and avoid Domino specific features. Works fine.

  4. I used cookie based authentication on this Domino web site: {Link}


  5. Nick has it right. My Domino based portals use the same approach.

    • avatar
    • Jake Howlett
    • Fri 24 Jun 2005 12:50

    I think Clint has nailed it on the head with his solution. I should have though of that sooner.

    Jerry. What does your Java agent do? Is that where your authentication takes place?

  6. oops, did not read Clint's link. Same as Nick's and works like a charm

  7. The one problem I have had with embedding a form on a Notes Form (like Clint's solution) is that when a person fails authenticating he/she will be redirected to the default domcfg.nsf form, not very cool. I haven't tried Andrew Tetlaw's option but it seems like it would work better with the authentication process in domino.

  8. I use a computed subform that only appears when @Username="Anonymous". It authenticates against

    /names.nsf?Login, our you could post to a full https address.

    Site is Domino and Tomcat https://www.ctrlspecbuilder.com/

    • avatar
    • Ayhan
    • Sat 25 Jun 2005 15:58


    thank you all for the ideas. I prefere the solution with the embedded iframe. Only added in the form-action the target-Tag with the "_top" value.

    Thank you Jake, too.

    The guy from germany :-)

  9. Good point, Jason. I forgot to mention that part. :p But it is an easy implementation and can be used in any type of page such as ASP.NET, PHP, etc. You do have the problem if the user fails to authenticate on the first shot, but at least the initial login form looks nice....

  10. I use a subform embedded in every form, that acts as a login form. View the source at the website. If an error occurs it is picked up by either the $$ReturnAuthorisationFailure or $$ReturnAuthenticationFailure forms. Once logged in the subform displays a silly "Hi User first name" message and give's you the options to change your account details. It's logging out that *@#^$@!! doesn't always work.

    • avatar
    • Andrew Tetlaw
    • Mon 27 Jun 2005 19:41

    Problem with custom embedded html solutions is once there's an authentication error you go back to whatever Domino has as a default.

    i.e. You log someone in but then they try to view something that are permitted to Domino will display the default login form.

    If you add a form called '$$LoginUserForm' to your database Domino will ALWAYS use that form in all situations for that application.

    • avatar
    • YoGi
    • Tue 28 Jun 2005 06:35


    Works like a charm with AJAX and subforms (like Nick's method).

  11. Jake: Sorry for not replying sooner, been busy. Our agent authenticated against a non domino authority, something I recalled after posting (later that night, actually).

    This simplified things from several perspectives, most notably licensing and maintenance of self registered users. Probably not the same scenario you have in mind, however.

    • avatar
    • NDV
    • Thu 30 Jun 2005 06:16

    What is this " /names.nsf?login" syntax? I've not seen this in documentation or in the Notes forums. Can someone explain this please? I have tried this with my organisation's Domino Directory but I get a 401, even though I know I have full ACL rights to the nsf. Anyone?


    • avatar
    • gsd
    • Fri 19 Aug 2005 09:31


    • avatar
    • Matt
    • Tue 28 Aug 2007 12:44 PM

    I wanted to include this in my website but was warned off it, mainly because

    1) User cannot be sure that the data is being sent securely and to which site.

    2) Hackers can sniff your keystrokes and get your login details.

    You will see most banks and on-line transaction sites require you to login using a custom secure page for this reason.

    See below for more detailed information


Your Comments


About This Page

Written by Jake Howlett on Fri 24 Jun 2005

Share This Page

# ( ) '


The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social

About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content