Using the same Firebug, look at the Net tab - look at your post and the response.
On Tuesday, August 26, 2014 1:32:14 PM UTC-4, Mark Li wrote: > > Looking at the password input through Firebug/developer tools, and the > value of the password input is the plaintext of the password I entered. > > I have a test site here: > http://tedlee.pythonanywhere.com/welcome/default/user/register > > Typing in a password and failing registration will return that password. > Is this just the behavior of a modern browser (to remember failed inputs), > or is it web2py form handling? > > In the case that web2py did only return asterisks, wouldn't that be very > misleading to the user? Because the password input is masked, they would > assume that the returned password value (after registration failure) was > what they previously had typed, not a password replaced with asterisks. > Thus on re-submitting the form, they would not think to alter the password > and would just submit a password with asterisks. > > On Monday, August 25, 2014 3:25:44 PM UTC-7, Derek wrote: >> >> Have you actually looked at it? I believe it just returns asterisks. >> >> On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: >>> >>> I am currently looking into whether or not password fields should be >>> cleared on registration error after the form fails server-side validation. >>> At the moment, web2py shows the password after a registration error, >>> instead of leaving it blank. While this may make editing the password >>> easier (in case there are pw errors), it seems to pose a security risk >>> because you are sending the password back to the client in plain text. To >>> my understanding, this would allow the page to be cached with the >>> password's value in plain text. >>> >>> I tested this on a variety of browsers and systems, so to the best of my >>> knowledge this is behavior is not unique to a browser. >>> >>> Does this pose a reasonable security risk? >>> >>> Some reference links: >>> >>> http://ux.stackexchange.com/questions/39999/why-do-most-create-account-forms-clear-the-password-fields-upon-wrong-validation >>> >>> http://ux.stackexchange.com/questions/20418/when-form-submission-fails-password-field-gets-blanked-why-is-that-the-case >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
