On 3/4/06, Jeff Watkins <[EMAIL PROTECTED]> wrote: > > OK. I've spent the last hour or so writing a registration controller > for user accounts for a TG-based app only to discover that the > user_name and password fields are getting stripped out by the > Identity filter. > > My thought at this point is to *require* the presence of a special > (hidden) field in a login form to trigger the automatic login. > > Something like: > > <input type="hidden" name="tg_identity_login" value="anything works"/> > > Any complaints?
Another naive comment by someone who hasn't used Identity. Don't people log in at a specific URL? Isn't that enough to verify whether the username/password fields are "ours" or not? Or the config file could specify which fields to look for. The main problem with the hidden field is it exposes security-sensitive information; namely, which authentication module you're using. So a creep can look up "tg_identify_login" on a creepy website and find out (1) this is turbogears.Identity, and (2) here are the top ten exploits against it. -- Mike Orr <[EMAIL PROTECTED]> ([EMAIL PROTECTED] address is semi-reliable) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~----------~----~----~----~------~----~------~--~---
