I still cannot replicate the behavior you observe. Can you show your code or attach a minimal app that demonstrates the behavior?
Anthony On Friday, July 25, 2014 9:56:38 AM UTC-4, Louis Amon wrote: > > @Anthony: Indeed, I forgot to add that I’m using auth forms through ajax > via LOAD. The problem may be due to ajax's JSON conversion of request.vars. > > Le 25 juil. 2014 à 15:52, Anthony <[email protected]> a écrit : > > I think common practice is to leave password fields blank after a login > failure so the password must be re-entered. > > In any case, I cannot replicate either behavior you describe using the > standard web2p Auth forms. When I have a failed login, the entire login > form is reloaded emtpy. When I enter the second password incorrectly on a > register form, the form reloads, and I only have to correct the second > password, not re-enter the first. > > Can you show the code you are using for your forms? > > Anthony > > On Friday, July 25, 2014 9:32:03 AM UTC-4, Louis Amon wrote: >> >> We’re all developers here so I couldn’t agree more. >> >> Still, I’m running a commercial website so I’m a slave to what my users >> want. >> As far as my customers are concerned, security comes second after ease of >> use… >> >> Anyway, you have to admit that the examples I gave in the first post are >> misleading in terms of user experience, right ? >> >> Isn’t there a way to improve it without compromising security too much ? >> I can see one : erasing input fields after each validation failure (blank >> fields are less misleading). Do you see other ? >> >> >> Le 25 juil. 2014 à 15:19, Willoughby <[email protected]> a écrit : >> >> A simple google search will yield people complaining about their host >> accounts getting hacked on airbnb. >> Just because someone or something large 'does it that way' doesn't mean >> it's a best practice! >> >> On Friday, July 25, 2014 9:08:00 AM UTC-4, Louis Amon wrote: >>> >>> I don’t see much of a security threat here. >>> What’s the worst-case scenario ? >>> >>> If you take a look at airbnb.com <http://www.airbnb.com/>, their >>> registration form keeps your typed password even if you fail validation on >>> other fields. >>> >>> If a website that big can do it then surely my small website will pull >>> though, don’t you think ? >>> >>> Le 25 juil. 2014 à 14:47, Niphlod <[email protected]> a écrit : >>> >>> so you really want the webpage to return the actual password instead of >>> asterisks ? it's a big security risk, no matter what user experience >>> says..... >>> >>> On Friday, July 25, 2014 10:53:40 AM UTC+2, Louis Amon wrote: >>>> >>>> I'm trying to improve user exprerience on my website and I noticed a >>>> rather annoying behavior on password fields : >>>> >>>> If I type a password longer than 8 characters and somehow my form fails >>>> (some other field didn't validate), my password gets replaced by >>>> "********" >>>> in request.vars.password. >>>> >>>> For example : >>>> I try to login and misstype my username --> login form fails. >>>> I correct the mistake in the username and press the submit button again >>>> --> login still fails, because the password got replaced by '*********' >>>> under the hood. >>>> >>>> Another example: >>>> I try to register and type my password but mistyped my password >>>> verification (password_two) --> register form fails. >>>> I focus the password_two field and retype my password --> register >>>> still fails because the original password field got replaced... >>>> >>>> This behavior is extremely frustrating for users as they can't print >>>> request.vars.password like a developper would. All they see is obfuscated >>>> passwords. >>>> I cannot have this on my commercial website. >>>> >>>> >>>> Is there any way to fix this ? >>>> >>> >>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "web2py-users" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "web2py-users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the > Google Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
