@Anthony: Indeed, I forgot to add that I'm using auth forms through ajax via LOAD. The problem may be due to ajax's JSON conversion of request.vars.
Le 25 juil. 2014 à 15:52, Anthony <[email protected]> a écrit : > I think common practice is to leave password fields blank after a login > failure so the password must be re-entered. > > In any case, I cannot replicate either behavior you describe using the > standard web2p Auth forms. When I have a failed login, the entire login form > is reloaded emtpy. When I enter the second password incorrectly on a register > form, the form reloads, and I only have to correct the second password, not > re-enter the first. > > Can you show the code you are using for your forms? > > Anthony > > On Friday, July 25, 2014 9:32:03 AM UTC-4, Louis Amon wrote: > We're all developers here so I couldn't agree more. > > Still, I'm running a commercial website so I'm a slave to what my users want. > As far as my customers are concerned, security comes second after ease of > use... > > Anyway, you have to admit that the examples I gave in the first post are > misleading in terms of user experience, right ? > > Isn't there a way to improve it without compromising security too much ? > I can see one : erasing input fields after each validation failure (blank > fields are less misleading). Do you see other ? > > > Le 25 juil. 2014 à 15:19, Willoughby <[email protected]> a écrit : > >> A simple google search will yield people complaining about their host >> accounts getting hacked on airbnb. >> Just because someone or something large 'does it that way' doesn't mean it's >> a best practice! >> >> On Friday, July 25, 2014 9:08:00 AM UTC-4, Louis Amon wrote: >> I don't see much of a security threat here. >> What's the worst-case scenario ? >> >> If you take a look at airbnb.com, their registration form keeps your typed >> password even if you fail validation on other fields. >> >> If a website that big can do it then surely my small website will pull >> though, don't you think ? >> >> Le 25 juil. 2014 à 14:47, Niphlod <[email protected]> a écrit : >> >>> so you really want the webpage to return the actual password instead of >>> asterisks ? it's a big security risk, no matter what user experience >>> says..... >>> >>> On Friday, July 25, 2014 10:53:40 AM UTC+2, Louis Amon wrote: >>> I'm trying to improve user exprerience on my website and I noticed a rather >>> annoying behavior on password fields : >>> >>> If I type a password longer than 8 characters and somehow my form fails >>> (some other field didn't validate), my password gets replaced by "********" >>> in request.vars.password. >>> >>> For example : >>> I try to login and misstype my username --> login form fails. >>> I correct the mistake in the username and press the submit button again --> >>> login still fails, because the password got replaced by '*********' under >>> the hood. >>> >>> Another example: >>> I try to register and type my password but mistyped my password >>> verification (password_two) --> register form fails. >>> I focus the password_two field and retype my password --> register still >>> fails because the original password field got replaced... >>> >>> This behavior is extremely frustrating for users as they can't print >>> request.vars.password like a developper would. All they see is obfuscated >>> passwords. >>> I cannot have this on my commercial website. >>> >>> >>> Is there any way to fix this ? >>> >>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "web2py-users" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "web2py-users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the Google > Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
