[
https://issues.apache.org/jira/browse/ROL-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13618400#comment-13618400
]
Noah Slater edited comment on ROL-1959 at 3/31/13 5:40 PM:
-----------------------------------------------------------
I guess I don't consider maxlength="20" on an input element to be "validation".
In my mind, I would be able to enter any length password in that box and the
"client-side validation" would tell me that the password was too long without
needing a round-trip to the server. Then, supposing that JavaScript is disabled
or whatever, the form is submitted anyway, the web application responds with a
copy of the form, complete with an error about the length of the password.
I guess when you lay it out like you have done in your previous comment, it is
obvious that the maxlength=20 attribute needs to go. Because it is a password
field, you cannot reliable tell what has happened. If it were a country field,
you would spot this happening immediately. For example, Twitter only allows
your "location" to be 30 characters long. When my friend tried to fill it out,
he saw that the field said "United Kingdom of Great Britai". Note that in this
instance, he chose to leave it like that, as a sort of protest against the
length restriction.
But you get my point, I think. The combination of type="password" and
maxlength="X" introduces a unique problem, in that there is no way for you to
know whether your input has been truncated. This is why I believe there should
be some notification. (Note that Roller does not even tell you that your
password can only be 20 characters.)
was (Author: nslater):
I guess I don't consider maxlength="20" on an input element to be
"validation". In my mind, I would be able to enter any length password in that
box and the "client-side validation" would tell me that the password was too
long without needing a round-trip to the server. Then, supposing that
JavaScript is disabled or whatever, the form is submitted anyway, the web
application responds with a copy of the form, complete with an error about the
length of the password.
I guess when you lay out like you have done in your previous comment, it is
obvious that the maxlength=20 attribute needs to go. Because it is a password
field, you cannot reliable tell what has happened. If it were a country field,
you would spot this happening immediately. For example, Twitter only allows
your "location" to be 30 characters long. When my friend tried to fill it out,
he saw that the field said "United Kingdom of Great Britai". Note that in this
instance, he chose to leave it like that, as a sort of protest against the
length restriction.
But you get my point, I think. The combination of type="password" and
maxlength="X" introduces a unique problem, in that there is no way for you to
know whether your input has been truncated. This is why I believe there should
be some notification. (Note that Roller does not even tell you that your
password can only be 20 characters.)
> Remove client-side restriction on password length, switch to server-side
> validation instead.
> --------------------------------------------------------------------------------------------
>
> Key: ROL-1959
> URL: https://issues.apache.org/jira/browse/ROL-1959
> Project: Roller
> Issue Type: Improvement
> Reporter: Noah Slater
> Assignee: Roller Unassigned
> Attachments: roller_password_screenshot.png
>
>
> Sorry for the vague ticket title. I don't want to make presumptions about the
> issue.
> Steps to reproduce:
> 1. Log in
> 2. Set your password to something long and complex like:
> xaQ}W,3tg4.VkAy4b398C9cRu8gE$vm{%f}V;L96bJyWf}#ELa
> 3. Log out
> 4. Try to log back in again
> What I see:
> I am unable to log in.
> What I expect to see:
> I am able to log in.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
