Frederic,
I agree, that nobody will "welcome" to get password back as a plain text. I am for
NO getter method for password (we are doing this on database level). When a user
sees an empty field in the form he / she is confusing: "Do I need to fill in or
not?" Specially for password.
Frederic BAGES wrote:
> I haven't try since the changes were made but i think it's because of the
> way the session object is managed. You don't lose session information (your
> form) until a timeout occur. It's the same on many web sites. If you close
> your browser you won't be able to log in without your password. It's better
> than seeing the password in plain text in the html source. But i don't know
> why the password is not set to an empty string if you don't fill the
> password field.
>
> I forward this message in the dev list before the 1.0 release of struts.
>
> Frederic.
>
> -----Message d'origine-----
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]De la part de Maya Muchnik
> Envoyé : mardi 13 février 2001 15:36
> À : [EMAIL PROTECTED]
> Objet : Re: html:password
>
> OK, you do not display password as some amount of "*" and password is empty
> field.
> But then you change other field, not password, and push "Save". No problem.
> Where
> is security? If a user can see in the source all "*" string, I think, it is
> not a
> bigger problem, as see an empty string. I think it is important that
> password will
> not have getter method.
>
> Frederic BAGES wrote:
>
> > It was a request from myself. I didn't know that would annoy
> anyone. The
> > fact is that if you ask your browser to show you the html source you will
> > see the password is embedded in it (case of '*'). It is not secure and we
> > found that it's better not to fill back the password field.
> >
> > Frederic.
> >
> > -----Message d'origine-----
> > De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de
> > Matthias Bauer
> > Envoyé : mardi 13 février 2001 10:25
> > À : [EMAIL PROTECTED]
> > Objet : html:password
> >
> > Hi,
> >
> > I just upgraded to struts 1.0 nightly build 20010212 from an earlier
> version
> > and
> > found that the html:password tag does not work as in the earlier version I
> > used
> > (20010117): The password is no longer displayed as '*'s. Instead the
> > password
> > field is empty. This does not seem to be a feature, because it imposes
> some
> > difficulties, when I want to offer the user to edit his profile which
> > contains a
> > password, because now the user always has to reenter the password, also
> when
> > he
> > only wants to change some other field of his profile.
> >
> > Has anybody seen the same behaviour?
> >
> > Thanks,
> >
> > --- Matthias
> >
> > Matthias Bauer +++ [EMAIL PROTECTED] +++ LivingLogic AG +++
> > www.livinglogic.de
