roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noah Slater (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (ROL-1959) Remove client-side restriction on password length, switch to server-side validation instead.
Date Sun, 31 Mar 2013 17:41:15 GMT

    [ https://issues.apache.org/jira/browse/ROL-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13618400#comment-13618400
] 

Noah Slater edited comment on ROL-1959 at 3/31/13 5:40 PM:
-----------------------------------------------------------

I guess I don't consider maxlength="20" on an input element to be "validation". In my mind,
I would be able to enter any length password in that box and the "client-side validation"
would tell me that the password was too long without needing a round-trip to the server. Then,
supposing that JavaScript is disabled or whatever, the form is submitted anyway, the web application
responds with a copy of the form, complete with an error about the length of the password.

I guess when you lay it out like you have done in your previous comment, it is obvious that
the maxlength=20 attribute needs to go. Because it is a password field, you cannot reliable
tell what has happened. If it were a country field, you would spot this happening immediately.
For example, Twitter only allows your "location" to be 30 characters long. When my friend
tried to fill it out, he saw that the field said "United Kingdom of Great Britai". Note that
in this instance, he chose to leave it like that, as a sort of protest against the length
restriction. 

But you get my point, I think. The combination of type="password" and maxlength="X" introduces
a unique problem, in that there is no way for you to know whether your input has been truncated.
This is why I believe there should be some notification. (Note that Roller does not even tell
you that your password can only be 20 characters.)
                
      was (Author: nslater):
    I guess I don't consider maxlength="20" on an input element to be "validation". In my
mind, I would be able to enter any length password in that box and the "client-side validation"
would tell me that the password was too long without needing a round-trip to the server. Then,
supposing that JavaScript is disabled or whatever, the form is submitted anyway, the web application
responds with a copy of the form, complete with an error about the length of the password.

I guess when you lay out like you have done in your previous comment, it is obvious that the
maxlength=20 attribute needs to go. Because it is a password field, you cannot reliable tell
what has happened. If it were a country field, you would spot this happening immediately.
For example, Twitter only allows your "location" to be 30 characters long. When my friend
tried to fill it out, he saw that the field said "United Kingdom of Great Britai". Note that
in this instance, he chose to leave it like that, as a sort of protest against the length
restriction. 

But you get my point, I think. The combination of type="password" and maxlength="X" introduces
a unique problem, in that there is no way for you to know whether your input has been truncated.
This is why I believe there should be some notification. (Note that Roller does not even tell
you that your password can only be 20 characters.)
                  
> Remove client-side restriction on password length, switch to server-side validation instead.
> --------------------------------------------------------------------------------------------
>
>                 Key: ROL-1959
>                 URL: https://issues.apache.org/jira/browse/ROL-1959
>             Project: Roller
>          Issue Type: Improvement
>            Reporter: Noah Slater
>            Assignee: Roller Unassigned
>         Attachments: roller_password_screenshot.png
>
>
> Sorry for the vague ticket title. I don't want to make presumptions about the issue.
> Steps to reproduce:
> 1. Log in
> 2. Set your password to something long and complex like: xaQ}W,3tg4.VkAy4b398C9cRu8gE$vm{%f}V;L96bJyWf}#ELa
> 3. Log out
> 4. Try to log back in again
> What I see:
> I am unable to log in.
> What I expect to see:
> I am able to log in.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message