I still don't see the behavior for login, but for registration, you can try:
db.auth_user.password.widget = lambda k,v: SQLFORM.widgets.password.widget(k
,
None, _id="login_password", _class="input-basic input-200")
Anthony
On Friday, July 25, 2014 10:35:18 AM UTC-4, Louis Amon wrote:
>
> After much research I found the trigger to replicate the issue :
>
> db.auth_user.password.widget = lambda k,v: SQLFORM.widgets.password.widget
> (k, v, _id="login_password", _class="input-basic input-200")
>
>
> If you type a password longer than 8 characters and the validation fails,
> your password will be replaced with '********' in request.vars.password.
>
>
> On Friday, July 25, 2014 4:12:06 PM UTC+2, Anthony wrote:
>>
>> I still cannot replicate the behavior you observe. Can you show your code
>> or attach a minimal app that demonstrates the behavior?
>>
>> Anthony
>>
>> On Friday, July 25, 2014 9:56:38 AM UTC-4, Louis Amon wrote:
>>>
>>> @Anthony: Indeed, I forgot to add that I’m using auth forms through ajax
>>> via LOAD. The problem may be due to ajax's JSON conversion of request.vars.
>>>
>>> Le 25 juil. 2014 à 15:52, Anthony <abas...@gmail.com> a écrit :
>>>
>>> I think common practice is to leave password fields blank after a login
>>> failure so the password must be re-entered.
>>>
>>> In any case, I cannot replicate either behavior you describe using the
>>> standard web2p Auth forms. When I have a failed login, the entire login
>>> form is reloaded emtpy. When I enter the second password incorrectly on a
>>> register form, the form reloads, and I only have to correct the second
>>> password, not re-enter the first.
>>>
>>> Can you show the code you are using for your forms?
>>>
>>> Anthony
>>>
>>> On Friday, July 25, 2014 9:32:03 AM UTC-4, Louis Amon wrote:
>>>>
>>>> We’re all developers here so I couldn’t agree more.
>>>>
>>>> Still, I’m running a commercial website so I’m a slave to what my users
>>>> want.
>>>> As far as my customers are concerned, security comes second after ease
>>>> of use…
>>>>
>>>> Anyway, you have to admit that the examples I gave in the first post
>>>> are misleading in terms of user experience, right ?
>>>>
>>>> Isn’t there a way to improve it without compromising security too much ?
>>>> I can see one : erasing input fields after each validation failure
>>>> (blank fields are less misleading). Do you see other ?
>>>>
>>>>
>>>> Le 25 juil. 2014 à 15:19, Willoughby <neil.e...@gmail.com> a écrit :
>>>>
>>>> A simple google search will yield people complaining about their host
>>>> accounts getting hacked on airbnb.
>>>> Just because someone or something large 'does it that way' doesn't mean
>>>> it's a best practice!
>>>>
>>>> On Friday, July 25, 2014 9:08:00 AM UTC-4, Louis Amon wrote:
>>>>>
>>>>> I don’t see much of a security threat here.
>>>>> What’s the worst-case scenario ?
>>>>>
>>>>> If you take a look at airbnb.com <http://www.airbnb.com/>, their
>>>>> registration form keeps your typed password even if you fail validation
>>>>> on
>>>>> other fields.
>>>>>
>>>>> If a website that big can do it then surely my small website will pull
>>>>> though, don’t you think ?
>>>>>
>>>>> Le 25 juil. 2014 à 14:47, Niphlod <nip...@gmail.com> a écrit :
>>>>>
>>>>> so you really want the webpage to return the actual password instead
>>>>> of asterisks ? it's a big security risk, no matter what user experience
>>>>> says.....
>>>>>
>>>>> On Friday, July 25, 2014 10:53:40 AM UTC+2, Louis Amon wrote:
>>>>>>
>>>>>> I'm trying to improve user exprerience on my website and I noticed a
>>>>>> rather annoying behavior on password fields :
>>>>>>
>>>>>> If I type a password longer than 8 characters and somehow my form
>>>>>> fails (some other field didn't validate), my password gets replaced by
>>>>>> "********" in request.vars.password.
>>>>>>
>>>>>> For example :
>>>>>> I try to login and misstype my username --> login form fails.
>>>>>> I correct the mistake in the username and press the submit button
>>>>>> again --> login still fails, because the password got replaced by
>>>>>> '*********' under the hood.
>>>>>>
>>>>>> Another example:
>>>>>> I try to register and type my password but mistyped my password
>>>>>> verification (password_two) --> register form fails.
>>>>>> I focus the password_two field and retype my password --> register
>>>>>> still fails because the original password field got replaced...
>>>>>>
>>>>>> This behavior is extremely frustrating for users as they can't print
>>>>>> request.vars.password like a developper would. All they see is
>>>>>> obfuscated
>>>>>> passwords.
>>>>>> I cannot have this on my commercial website.
>>>>>>
>>>>>>
>>>>>> Is there any way to fix this ?
>>>>>>
>>>>>
>>>>> --
>>>>> Resources:
>>>>> - http://web2py.com
>>>>> - http://web2py.com/book (Documentation)
>>>>> - http://github.com/web2py/web2py (Source code)
>>>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>>>> ---
>>>>> You received this message because you are subscribed to a topic in the
>>>>> Google Groups "web2py-users" group.
>>>>> To unsubscribe from this topic, visit
>>>>> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe.
>>>>> To unsubscribe from this group and all its topics, send an email to
>>>>> web2py+un...@googlegroups.com.
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Resources:
>>>> - http://web2py.com
>>>> - http://web2py.com/book (Documentation)
>>>> - http://github.com/web2py/web2py (Source code)
>>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>>> ---
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "web2py-users" group.
>>>> To unsubscribe from this topic, visit
>>>> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe.
>>>> To unsubscribe from this group and all its topics, send an email to
>>>> web2py+un...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>>
>>> --
>>> Resources:
>>> - http://web2py.com
>>> - http://web2py.com/book (Documentation)
>>> - http://github.com/web2py/web2py (Source code)
>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>> ---
>>> You received this message because you are subscribed to a topic in the
>>> Google Groups "web2py-users" group.
>>> To unsubscribe from this topic, visit
>>> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe.
>>> To unsubscribe from this group and all its topics, send an email to
>>> web2py+un...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>>
>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
