Under the Net tab in Firebug, the Post contains the submitted variables, and the response tab is the HTML of the returned page. This response contains the password input value in plain text.
If I submitted the password as "asdf" and submitted the registration form with failures, the response will contain this (as shown in the net tab): <input class="password" id="auth_user_password" name="password" type= "password" value="asdf" /> Does no one else experience this behavior? On Tuesday, August 26, 2014 11:08:14 AM UTC-7, Willoughby wrote: > > Using the same Firebug, look at the Net tab - look at your post and the > response. > > > On Tuesday, August 26, 2014 1:32:14 PM UTC-4, Mark Li wrote: >> >> Looking at the password input through Firebug/developer tools, and the >> value of the password input is the plaintext of the password I entered. >> >> I have a test site here: >> http://tedlee.pythonanywhere.com/welcome/default/user/register >> >> Typing in a password and failing registration will return that password. >> Is this just the behavior of a modern browser (to remember failed inputs), >> or is it web2py form handling? >> >> In the case that web2py did only return asterisks, wouldn't that be very >> misleading to the user? Because the password input is masked, they would >> assume that the returned password value (after registration failure) was >> what they previously had typed, not a password replaced with asterisks. >> Thus on re-submitting the form, they would not think to alter the password >> and would just submit a password with asterisks. >> >> On Monday, August 25, 2014 3:25:44 PM UTC-7, Derek wrote: >>> >>> Have you actually looked at it? I believe it just returns asterisks. >>> >>> On Monday, August 25, 2014 3:02:49 PM UTC-7, Mark Li wrote: >>>> >>>> I am currently looking into whether or not password fields should be >>>> cleared on registration error after the form fails server-side validation. >>>> At the moment, web2py shows the password after a registration error, >>>> instead of leaving it blank. While this may make editing the password >>>> easier (in case there are pw errors), it seems to pose a security risk >>>> because you are sending the password back to the client in plain text. To >>>> my understanding, this would allow the page to be cached with the >>>> password's value in plain text. >>>> >>>> I tested this on a variety of browsers and systems, so to the best of >>>> my knowledge this is behavior is not unique to a browser. >>>> >>>> Does this pose a reasonable security risk? >>>> >>>> Some reference links: >>>> >>>> http://ux.stackexchange.com/questions/39999/why-do-most-create-account-forms-clear-the-password-fields-upon-wrong-validation >>>> >>>> http://ux.stackexchange.com/questions/20418/when-form-submission-fails-password-field-gets-blanked-why-is-that-the-case >>>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
