I haven't try since the changes were made but i think it's because of the
way the session object is managed. You don't lose session information (your
form) until a timeout occur. It's the same on many web sites. If you close
your browser you won't be able to log in without your password. It's better
than seeing the password in plain text in the html source. But i don't know
why the password is not set to an empty string if you don't fill the
password field.
I forward this message in the dev list before the 1.0 release of struts.
Frederic.
-----Message d'origine-----
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]De la part de Maya Muchnik
Envoyé : mardi 13 février 2001 15:36
À : [EMAIL PROTECTED]
Objet : Re: html:password
OK, you do not display password as some amount of "*" and password is empty
field.
But then you change other field, not password, and push "Save". No problem.
Where
is security? If a user can see in the source all "*" string, I think, it is
not a
bigger problem, as see an empty string. I think it is important that
password will
not have getter method.
Frederic BAGES wrote:
> It was a request from myself. I didn't know that would annoy
anyone. The
> fact is that if you ask your browser to show you the html source you will
> see the password is embedded in it (case of '*'). It is not secure and we
> found that it's better not to fill back the password field.
>
> Frederic.
>
> -----Message d'origine-----
> De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de
> Matthias Bauer
> Envoyé : mardi 13 février 2001 10:25
> À : [EMAIL PROTECTED]
> Objet : html:password
>
> Hi,
>
> I just upgraded to struts 1.0 nightly build 20010212 from an earlier
version
> and
> found that the html:password tag does not work as in the earlier version I
> used
> (20010117): The password is no longer displayed as '*'s. Instead the
> password
> field is empty. This does not seem to be a feature, because it imposes
some
> difficulties, when I want to offer the user to edit his profile which
> contains a
> password, because now the user always has to reenter the password, also
when
> he
> only wants to change some other field of his profile.
>
> Has anybody seen the same behaviour?
>
> Thanks,
>
> --- Matthias
>
> Matthias Bauer +++ [EMAIL PROTECTED] +++ LivingLogic AG +++
> www.livinglogic.de
