Jump to content

If user's reg/joining fails, can I refill password field or is this bad?

someguy321

By someguy321
in PHP Coding Help

Recommended Posts

someguy321 Member

someguy321

Posted
Posted

When users register for the site, it posts the form to an https version of the site. If there's any errors, it'll stay on the https and I show the form with the fields prefilled in with their inputs and the errors shown.

 

My question is: is it safe to also refill the password field?

Anyone here know the answer for sure?

Colton.Wagner Member

Colton.Wagner

Posted
Posted

Assuming you are not using https it would be a bad thing because all of that information would be passed a crossed the internet. I always refill the email and username but I always reset the password for the user's security.

Thanks,

Colton Wagner

someguy321 Member

someguy321

Posted
  • Author
Posted

Assuming you are not using https it would be a bad thing because all of that information would be passed a crossed the internet. I always refill the email and username but I always reset the password for the user's security.

Thanks,

Colton Wagner

 

Right, but as I stated, I am using https. So are you saying it's ok then?

rwwd Member

rwwd

Posted
Posted

Bad with a capital B surely, never retain a user submitted password, this contradicts the 'Secure' aspect of a secure login, that's as bad as 'remembering' a captcha code.

 

This is meant to be security, meaning that bots can't fool a script...

 

Rw

someguy321 Member

someguy321

Posted
  • Author
Posted

Bad with a capital B surely, never retain a user submitted password, this contradicts the 'Secure' aspect of a secure login, that's as bad as 'remembering' a captcha code.

 

This is meant to be security, meaning that bots can't fool a script...

 

Rw

 

Well if it's bots, there is a limit on 5 attempts within a 15 minute period so I'd assume that would stop bots from constantly reattempting. But are you sure that even if it redirects to https (was started at http) that there's still a risk?

rwwd Member

rwwd

Posted
Posted

The idea is security, and a password is something that has to be user submitted, not remembered from a previous post.

 

The method you have works fine, and the logic is sound, remember the username by all means, but not the password - exceedingly bad practise really, though it can be done, but definitely NOT recommended.

 

Rw

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.