| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
1160
|
Mon May 30 10:01:14 2005 |
 | Alex H | alex@synergie-inf.com | Request | | 2.5.8-6 | Re: password encryption |
| Stefan Ritt wrote: |
| Alex H wrote: | Hi Stefan,
I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex |
Unfortunately there is no real way around that. If a password is entered into a text box, it is always transferred in plain text (which means that in security-sensive installations one should always use SSL together with elog). I encrypt it on the server side and do an immediate redirect which "hided" the plain password, but if your connection is slow, you might see it for a moment. Unless nobody has a clever idea of how to prevent this, we're out of luck. |
Oki Thanks for the answer  .
Alex |
|
1161
|
Mon May 30 19:18:34 2005 |
 | Gary Clayson | g_clayson@sbcglobal.net | Request | Windows | 2.5.8-6 | Re: password encryption | Hello Alex and Stefan,
I know of only one way to "hide" the text of the status bar in a web browser;
use JavaScript - specifically the status method (as in the following example):
<!-- the following goes in the body of the document, perhaps in a link. -->
<!-- sample link -->
<a href="javascript://place link url here"
onMouseOver="window.status='Status Bar Text Goes Here'; return true">Link Text Here</a>
<!-- place the following script in the head of the document -->
<script language="JavaScript" type="text/javascript"><!--
window.defaultStatus="Default Status Bar Text Here";
--></script>
Of course the above only works in those browsers that support javascripting,
but it is one way to hide the actual text of links from the user.
Hopefully this helps you!
Gary Clayson
| Alex H wrote: | Hi Stefan,
I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex |
|
|
1162
|
Mon May 30 19:56:01 2005 |
| Emiliano Gabrielli | AlberT@SuperAlberT.it | Request | Windows | 2.5.8-6 | Re: password encryption |
| Gary Clayson wrote: | Hello Alex and Stefan,
I know of only one way to "hide" the text of the status bar in a web browser;
use JavaScript - specifically the status method (as in the following example):
<!-- the following goes in the body of the document, perhaps in a link. -->
<!-- sample link -->
<a href="javascript://place link url here"
onMouseOver="window.status='Status Bar Text Goes Here'; return true">Link Text Here</a>
<!-- place the following script in the head of the document -->
<script language="JavaScript" type="text/javascript"><!--
window.defaultStatus="Default Status Bar Text Here";
--></script>
Of course the above only works in those browsers that support javascripting,
but it is one way to hide the actual text of links from the user.
Hopefully this helps you!
Gary Clayson
| Alex H wrote: | Hi Stefan,
I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex |
|
I don't have double checked .. but .. why we need to pass the sensible information in the Query String ??
Are you sure that putting it in an hidden field (and eventualli using a GET methon in the <form>-tag) can't be a solution? |
|
1163
|
Mon May 30 20:16:11 2005 |
| Stefan Ritt | stefan.ritt@psi.ch | Request | Windows | 2.5.8-6 | Re: password encryption |
| Emiliano Gabrielli wrote: |
I don't have double checked .. but .. why we need to pass the sensible information in the Query String ??
Are you sure that putting it in an hidden field (and eventualli using a GET methon in the <form>-tag) can't be a solution? |
Hidden means only these fields are not shown in the form, but they are added to the URL in the same way as non-hidden fields. But I got another idea: I will try to use a POST form instead of the GET form. Using the POST method, fields are attached to the request and not present in the URL. Hope this will work. When I find some time to work on it I will let you know. |
|
1164
|
Tue May 31 09:07:37 2005 |
 | Alex H | alex@synergie-inf.com | Request | Windows | 2.5.8-6 | Re: password encryption | | Thanks Stefan 8) |
|
1176
|
Sat Jun 4 14:00:17 2005 |
| Stefan Ritt | stefan.ritt@psi.ch | Request | | 2.5.8-6 | Re: password encryption |
| Alex H wrote: | I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex |
I switched the login page to the HTTP "POST" method, where arguments are not passed in the URL.
The new version is under CVS. Can you try if the behaviour is better now? I upgraded also the ELOG forum, so you can try there as well. |
|
67976
|
Tue Jun 9 15:44:49 2015 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug fix | All | 3.1.0 | Re: parse a correctly the username in save_user_config when using Webserver authentication | Hi Christof,
thanks for the patch, I merged it into the current HEAD.
/Stefan
| Christof Hanke wrote: |
|
Hi Stefan,
When we use Webserver authentication, we have the correct username already in the variable http_user.
The old way of copying this http_user to "user" is wrong since we don't use the size of http_user.
Instead, just encode the http_user variable directly.
See attached patch against git HEAD.
Christof
|
|
|
1507
|
Tue Nov 15 08:40:31 2005 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug report | Linux | 2.6.0-4 | Re: page2?cmd=List does not show next page |
| Oleg Solovyanov wrote: | Maybe I'm doing something wrong, but the following does not work on a Elog with multiple pages:
1. View message
2. Click List
3. Click Next or page number
4. Only the last page is shown
It looks like the URL pageN?cmd=List does not work, while pageN works.
Any hints?
Same behaviour can be seen also with Discussion forum on Elog site. |
I don't understand. I tried on the Discussion forum:
1. View message, for example http://midas.psi.ch/elogs/Forum/1506
2. Click List, which takes me to http://midas.psi.ch/elogs/Forum/
3. Click Next, which takes me to http://midas.psi.ch/elogs/Forum/page2
Then I really see page2, not the last page. So what do you do differently? |
|