tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Gidley (JIRA)" <j...@apache.org>
Subject [jira] Commented: (TAP5-874) Add t:secure to Form component
Date Mon, 05 Oct 2009 07:41:31 GMT

    [ https://issues.apache.org/jira/browse/TAP5-874?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762109#action_12762109
] 

Ben Gidley commented on TAP5-874:
---------------------------------

Although this is a nice feature it is a security risk.

A man in the middle could change the posting path for the login form to their own site and
harvest usernames/passwords. This doesn't mean it shouldn't be implemented but if it is the
docs should warn about this risk. A site requiring strong security (e.g. banking/payments)
shouldn't use this pattern. 

> Add t:secure to Form component
> ------------------------------
>
>                 Key: TAP5-874
>                 URL: https://issues.apache.org/jira/browse/TAP5-874
>             Project: Tapestry 5
>          Issue Type: Improvement
>          Components: tapestry-core
>    Affects Versions: 5.1.0.5
>            Reporter: Olle Hallin
>            Priority: Minor
>
> It would be nice if one could make a <t:form> post to SSL by specifying t:secure="true"
on the form component.
> It is a quite common design pattern nowadays to have a login form on each page. It is
mostly not necessary however to access all pages via https.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message