someguy321 Posted November 1, 2010 Share Posted November 1, 2010 When users register for the site, it posts the form to an https version of the site. If there's any errors, it'll stay on the https and I show the form with the fields prefilled in with their inputs and the errors shown. My question is: is it safe to also refill the password field? Anyone here know the answer for sure? Quote Link to comment Share on other sites More sharing options...
Colton.Wagner Posted November 1, 2010 Share Posted November 1, 2010 Assuming you are not using https it would be a bad thing because all of that information would be passed a crossed the internet. I always refill the email and username but I always reset the password for the user's security. Thanks, Colton Wagner Quote Link to comment Share on other sites More sharing options...
someguy321 Posted November 1, 2010 Author Share Posted November 1, 2010 Assuming you are not using https it would be a bad thing because all of that information would be passed a crossed the internet. I always refill the email and username but I always reset the password for the user's security. Thanks, Colton Wagner Right, but as I stated, I am using https. So are you saying it's ok then? Quote Link to comment Share on other sites More sharing options...
Colton.Wagner Posted November 1, 2010 Share Posted November 1, 2010 Yes it would be okay as all data is encrypted. Sorry I didn't read anything but the header. Quote Link to comment Share on other sites More sharing options...
rwwd Posted November 1, 2010 Share Posted November 1, 2010 Bad with a capital B surely, never retain a user submitted password, this contradicts the 'Secure' aspect of a secure login, that's as bad as 'remembering' a captcha code. This is meant to be security, meaning that bots can't fool a script... Rw Quote Link to comment Share on other sites More sharing options...
someguy321 Posted November 2, 2010 Author Share Posted November 2, 2010 Bad with a capital B surely, never retain a user submitted password, this contradicts the 'Secure' aspect of a secure login, that's as bad as 'remembering' a captcha code. This is meant to be security, meaning that bots can't fool a script... Rw Well if it's bots, there is a limit on 5 attempts within a 15 minute period so I'd assume that would stop bots from constantly reattempting. But are you sure that even if it redirects to https (was started at http) that there's still a risk? Quote Link to comment Share on other sites More sharing options...
rwwd Posted November 2, 2010 Share Posted November 2, 2010 The idea is security, and a password is something that has to be user submitted, not remembered from a previous post. The method you have works fine, and the logic is sound, remember the username by all means, but not the password - exceedingly bad practise really, though it can be done, but definitely NOT recommended. Rw Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 2, 2010 Share Posted November 2, 2010 I agree with the above. ^ ^ ^ Bad idea. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.