I still don't see the behavior for login, but for registration, you can try:
db.auth_user.password.widget = lambda k,v: SQLFORM.widgets.password.widget(k , None, _id="login_password", _class="input-basic input-200") Anthony On Friday, July 25, 2014 10:35:18 AM UTC-4, Louis Amon wrote: > > After much research I found the trigger to replicate the issue : > > db.auth_user.password.widget = lambda k,v: SQLFORM.widgets.password.widget > (k, v, _id="login_password", _class="input-basic input-200") > > > If you type a password longer than 8 characters and the validation fails, > your password will be replaced with '********' in request.vars.password. > > > On Friday, July 25, 2014 4:12:06 PM UTC+2, Anthony wrote: >> >> I still cannot replicate the behavior you observe. Can you show your code >> or attach a minimal app that demonstrates the behavior? >> >> Anthony >> >> On Friday, July 25, 2014 9:56:38 AM UTC-4, Louis Amon wrote: >>> >>> @Anthony: Indeed, I forgot to add that I’m using auth forms through ajax >>> via LOAD. The problem may be due to ajax's JSON conversion of request.vars. >>> >>> Le 25 juil. 2014 à 15:52, Anthony <abas...@gmail.com> a écrit : >>> >>> I think common practice is to leave password fields blank after a login >>> failure so the password must be re-entered. >>> >>> In any case, I cannot replicate either behavior you describe using the >>> standard web2p Auth forms. When I have a failed login, the entire login >>> form is reloaded emtpy. When I enter the second password incorrectly on a >>> register form, the form reloads, and I only have to correct the second >>> password, not re-enter the first. >>> >>> Can you show the code you are using for your forms? >>> >>> Anthony >>> >>> On Friday, July 25, 2014 9:32:03 AM UTC-4, Louis Amon wrote: >>>> >>>> We’re all developers here so I couldn’t agree more. >>>> >>>> Still, I’m running a commercial website so I’m a slave to what my users >>>> want. >>>> As far as my customers are concerned, security comes second after ease >>>> of use… >>>> >>>> Anyway, you have to admit that the examples I gave in the first post >>>> are misleading in terms of user experience, right ? >>>> >>>> Isn’t there a way to improve it without compromising security too much ? >>>> I can see one : erasing input fields after each validation failure >>>> (blank fields are less misleading). Do you see other ? >>>> >>>> >>>> Le 25 juil. 2014 à 15:19, Willoughby <neil.e...@gmail.com> a écrit : >>>> >>>> A simple google search will yield people complaining about their host >>>> accounts getting hacked on airbnb. >>>> Just because someone or something large 'does it that way' doesn't mean >>>> it's a best practice! >>>> >>>> On Friday, July 25, 2014 9:08:00 AM UTC-4, Louis Amon wrote: >>>>> >>>>> I don’t see much of a security threat here. >>>>> What’s the worst-case scenario ? >>>>> >>>>> If you take a look at airbnb.com <http://www.airbnb.com/>, their >>>>> registration form keeps your typed password even if you fail validation >>>>> on >>>>> other fields. >>>>> >>>>> If a website that big can do it then surely my small website will pull >>>>> though, don’t you think ? >>>>> >>>>> Le 25 juil. 2014 à 14:47, Niphlod <nip...@gmail.com> a écrit : >>>>> >>>>> so you really want the webpage to return the actual password instead >>>>> of asterisks ? it's a big security risk, no matter what user experience >>>>> says..... >>>>> >>>>> On Friday, July 25, 2014 10:53:40 AM UTC+2, Louis Amon wrote: >>>>>> >>>>>> I'm trying to improve user exprerience on my website and I noticed a >>>>>> rather annoying behavior on password fields : >>>>>> >>>>>> If I type a password longer than 8 characters and somehow my form >>>>>> fails (some other field didn't validate), my password gets replaced by >>>>>> "********" in request.vars.password. >>>>>> >>>>>> For example : >>>>>> I try to login and misstype my username --> login form fails. >>>>>> I correct the mistake in the username and press the submit button >>>>>> again --> login still fails, because the password got replaced by >>>>>> '*********' under the hood. >>>>>> >>>>>> Another example: >>>>>> I try to register and type my password but mistyped my password >>>>>> verification (password_two) --> register form fails. >>>>>> I focus the password_two field and retype my password --> register >>>>>> still fails because the original password field got replaced... >>>>>> >>>>>> This behavior is extremely frustrating for users as they can't print >>>>>> request.vars.password like a developper would. All they see is >>>>>> obfuscated >>>>>> passwords. >>>>>> I cannot have this on my commercial website. >>>>>> >>>>>> >>>>>> Is there any way to fix this ? >>>>>> >>>>> >>>>> -- >>>>> Resources: >>>>> - http://web2py.com >>>>> - http://web2py.com/book (Documentation) >>>>> - http://github.com/web2py/web2py (Source code) >>>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>>> --- >>>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "web2py-users" group. >>>>> To unsubscribe from this topic, visit >>>>> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> web2py+un...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> >>>>> >>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "web2py-users" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. >>>> To unsubscribe from this group and all its topics, send an email to >>>> web2py+un...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> >>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "web2py-users" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> web2py+un...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.