Re: Why can't I initialize PasswordTextField?

Tue, 02 Dec 2008 19:37:36 -0800 

May I answer your question with a question?

Why would you want your password field to have the value pre-filled on the
page?  Then the password is in plain text available to the user (and
assuming you're not on https, anyone in between).  I've never seen an
instance where this was a good idea.

If you're trying to do an auto-login, you shouldn't show the login page at
all.  Pseudo code would be:

if (getYourSession().isSignedIn() == false) {
  String token = getCookie(someCookieID);
  if (token not null and not empty) {
    User user = lookupUser(token);
    if (user != null) {
      getYourSession().signIn(user);
    } else {
      // only here would you show login page, without anything pre-filled
because
      // they're not already signed in and they don't have a cookie to sign
them in
      setResponsePage(YourLoginPage.class);
    }
  }
}

On Tue, Dec 2, 2008 at 9:26 PM, Casper Bang <[EMAIL PROTECTED]> wrote:

> I'm trying to implement credentials memory functionality for a login form
> using cookies. I know there's an official example (
> http://wicketstuff.org/wicket13/signin2/?x=7*:org.apache.wicket.examples.signin2.SignIn2)
> however it simply delegates to some panel which is not available as source
> on the page. So anyway, it should be simple, and all works great except that
> I can not get the password field to get filled out upon page load. In my
> constructor of my panel I do the following:
>
>       Cookie credentials =
> ((WebRequest)getRequestCycle().getRequest()).getCookie("credentials");
>       remember = credentials != null;
>       if(remember){
>           String[] credentialParts = credentials.getValue().split(":");
>           username = credentialParts[0];
>           password = credentialParts[1];
>       }
>
> The fields username and password of the panel are bound to the form using a
> CompoundPropertyModel. When I sniff request and response headers, I can see
> that indeed the cookie info is sent around fine. I guess it has to do with
> security somehow, but shouldn't this be possible even if I am using a
> PasswordTextField?
>
> Thanks in advance,
> Casper
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-- 
Jeremy Thomerson
http://www.wickettraining.com

Reply via email to