I don't see much of a security threat here. What's the worst-case scenario ?
If you take a look at airbnb.com, their registration form keeps your typed password even if you fail validation on other fields. If a website that big can do it then surely my small website will pull though, don't you think ? Le 25 juil. 2014 à 14:47, Niphlod <niph...@gmail.com> a écrit : > so you really want the webpage to return the actual password instead of > asterisks ? it's a big security risk, no matter what user experience says..... > > On Friday, July 25, 2014 10:53:40 AM UTC+2, Louis Amon wrote: > I'm trying to improve user exprerience on my website and I noticed a rather > annoying behavior on password fields : > > If I type a password longer than 8 characters and somehow my form fails (some > other field didn't validate), my password gets replaced by "********" in > request.vars.password. > > For example : > I try to login and misstype my username --> login form fails. > I correct the mistake in the username and press the submit button again --> > login still fails, because the password got replaced by '*********' under the > hood. > > Another example: > I try to register and type my password but mistyped my password verification > (password_two) --> register form fails. > I focus the password_two field and retype my password --> register still > fails because the original password field got replaced... > > This behavior is extremely frustrating for users as they can't print > request.vars.password like a developper would. All they see is obfuscated > passwords. > I cannot have this on my commercial website. > > > Is there any way to fix this ? > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the Google > Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
