Return-Path: X-Original-To: apmail-roller-commits-archive@www.apache.org Delivered-To: apmail-roller-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D85BFFD32 for ; Sun, 31 Mar 2013 17:41:15 +0000 (UTC) Received: (qmail 99814 invoked by uid 500); 31 Mar 2013 17:41:15 -0000 Delivered-To: apmail-roller-commits-archive@roller.apache.org Received: (qmail 99786 invoked by uid 500); 31 Mar 2013 17:41:15 -0000 Mailing-List: contact commits-help@roller.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@roller.apache.org Delivered-To: mailing list commits@roller.apache.org Received: (qmail 99778 invoked by uid 99); 31 Mar 2013 17:41:15 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 31 Mar 2013 17:41:15 +0000 Date: Sun, 31 Mar 2013 17:41:15 +0000 (UTC) From: "Noah Slater (JIRA)" To: commits@roller.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (ROL-1959) Remove client-side restriction on password length, switch to server-side validation instead. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ROL-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13618400#comment-13618400 ] Noah Slater edited comment on ROL-1959 at 3/31/13 5:39 PM: ----------------------------------------------------------- I guess I don't consider maxlength="20" on an input element to be "validation". In my mind, I would be able to enter any length password in that box and the "client-side validation" would tell me that the password was too long without needing a round-trip to the server. Then, supposing that JavaScript is disabled or whatever, the form is submitted anyway, the web application responds with a copy of the form, complete with an error about the length of the password. I guess when you lay out like you have done in your previous comment, it is obvious that the maxlength=20 attribute needs to go. Because it is a password field, you cannot reliable tell what has happened. If it were a country field, you would spot this happening immediately. For example, Twitter only allows your "location" to be 30 characters long. When my friend tried to fill it out, he saw that the field said "United Kingdom of Great Britai". Note that in this instance, he chose to leave it like that, as a sort of protest against the length restriction. But you get my point, I think. The combination of type="password" and maxlength="X" introduces a unique problem, in that there is no way for you to know whether your input has been truncated. This is why I believe there should be some notification. (Note that Roller does not even tell you that your password can only be 20 characters.) was (Author: nslater): I guess I don't consider maxlength="20" on an input element to be "validation". In my mine, I would be able to enter any length password in that box and the "client-side validation" would tell me that the password was too long without needing a round-trip to the server. Then, supposing that JavaScript is disabled or whatever, the form is submitted anyway, the web application responds with a copy of the form, complete with an error about the length of the password. I guess when you lay out like you have done in your previous comment, it is obvious that the maxlength=20 attribute needs to go. Because it is a password field, you cannot reliable tell what has happened. If it were a country field, you would spot this happening immediately. For example, Twitter only allows your "location" to be 30 characters long. When my friend tried to fill it out, he saw that the field said "United Kingdom of Great Britai". Note that in this instance, he chose to leave it like that, as a sort of protest against the length restriction. But you get my point, I think. The combination of type="password" and maxlength="X" introduces a unique problem, in that there is no way for you to know whether your input has been truncated. This is why I believe there should be some notification. (Note that Roller does not even tell you that your password can only be 20 characters.) > Remove client-side restriction on password length, switch to server-side validation instead. > -------------------------------------------------------------------------------------------- > > Key: ROL-1959 > URL: https://issues.apache.org/jira/browse/ROL-1959 > Project: Roller > Issue Type: Improvement > Reporter: Noah Slater > Assignee: Roller Unassigned > Attachments: roller_password_screenshot.png > > > Sorry for the vague ticket title. I don't want to make presumptions about the issue. > Steps to reproduce: > 1. Log in > 2. Set your password to something long and complex like: xaQ}W,3tg4.VkAy4b398C9cRu8gE$vm{%f}V;L96bJyWf}#ELa > 3. Log out > 4. Try to log back in again > What I see: > I am unable to log in. > What I expect to see: > I am able to log in. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira