OFBiz OFBiz - User

Re: Users - After login, username/password are in the page URL

Posted by David E. Jones on
URL: http://ofbiz.116.s1.nabble.com/Users-After-login-username-password-are-in-the-page-URL-tp137768p137769.html


Vinay,

It sounds like you need to step back from the details and consider  
the bigger picture for a second.

There are certain some cases where we need to pass the arguments in  
the URL. Some of this could be refactored to put them in the session  
for the case of post-login view rendering, and I think that might  
work but it would be a bit of work.

Whatever the case, the code changes you are making obviously have  
some issues. You need to either pull the username and password out of  
the parameters map/string, or change where you are interrupting the  
flow.

In the bigger picture a password (well, especially password, username  
isn't generally so critical/protected) should NEVER EVER be passed in  
a URL. I think this is what you are picking up on. Even over  
encrypted connections (ie via HTTPS) the URL itself is not encrypted.  
So, these should _only_ be sent as form field values.

-David


On Mar 3, 2006, at 3:54 PM, Vinay Agarwal wrote:

> David,
>
> Not sure if this is the way to do it, but looking at the handling  
> for the
> default case on line 403
>
> renderView(nextView, requestManager.allowExtView(requestUri), request,
> response);
>
> It is not adding query string to the URL. If the same works for  
> redirect
> case, then changing line 391 from
>
> callRedirect(makeLinkWithQueryString(request, response, "/" +  
> nextView),
> response, request);
>
> to:
> callRedirect(nextView, response, request);
>
> would solve the problem. Is this the way to do it?
>
> Regards,
> Vinay Agarwal
>
> -----Original Message-----
> From: [hidden email] [mailto:users-
> [hidden email]]
> On Behalf Of Vinay Agarwal
> Sent: Friday, March 03, 2006 2:10 PM
> To: 'OFBiz Users / Usage Discussion'
> Subject: Re: [OFBiz] Users - After login,username/password are in  
> the page
> URL
>
> David,
>
> The username/password are added by a call to  
> makeLinkWithQueryString on line
> 391 of framework/webapp/src/org/ofbiz/webapp/control/
> RequestHandler.java.
>
> Regards,
> Vinay Agarwal
>
> -----Original Message-----
> From: [hidden email] [mailto:users-
> [hidden email]]
> On Behalf Of Vinay Agarwal
> Sent: Friday, March 03, 2006 1:33 PM
> To: 'OFBiz Users / Usage Discussion'
> Subject: Re: [OFBiz] Users - After login,username/password are in  
> the page
> URL
>
> David,
>
> I modified the checkLoginUrl to include "request-redirect:" like the
> following
> https://localhost:8443/ecommerce/control/checkLogin/request- 
> redirect:login
>
> To reproduce this with ecommerce application in latest code, in the  
> file
> ecommerce/widget/EcommcerceSetup.bsh, line
>
> globalContext.put("checkLoginUrl", LoginWorker.makeLoginUrl(request,
> "checkLogin"));
>
> is replaced by
> String loginUrl = LoginWorker.makeLoginUrl(request, "checkLogin");
> int indx = loginUrl.lastIndexOf('/') + 1;
> loginUrl = loginUrl.substring(0, indx) + "request-redirect:" +
> loginUrl.substring(indx);
> globalContext.put("checkLoginUrl", loginUrl);
>
> This could not be seen prior to this mod since the URL showed
> https://localhost:8443/ecommerce/control/login
> on the main page after login.
>
> Regards,
> Vinay Agarwal
>
> -----Original Message-----
> From: [hidden email] [mailto:users-
> [hidden email]]
> On Behalf Of David E. Jones
> Sent: Friday, March 03, 2006 12:49 PM
> To: OFBiz Users / Usage Discussion
> Subject: Re: [OFBiz] Users - After login,username/password are in  
> the page
> URL
>
>
> Vinay,
>
> Could you send over more details about where this happened and if
> needed what preceded it? Is this modified or stock (SVN) code?
>
> Thanks,
> -David
>
>
> On Mar 3, 2006, at 1:38 PM, Vinay Agarwal wrote:
>
>> Hello,
>>
>>
>>
>> After login, I find the username and password in the page URL like
>> this
>>
>> http://localhost:8080/control/
>> main;jsessionid=26851BF0671EC5CFDEE70EC1ADA621
>> 79.jvm1?USERNAME=lauser
>> <http://localhost:8080/control/
>> main;jsessionid=26851BF0671EC5CFDEE70EC1ADA62
>> 179.jvm1?USERNAME=lauser&PASSWORD=testing> &PASSWORD=testing
>>
>>
>>
>> To my knowledge, I am not calling any script to put stuff from
>> _PREVIOUS_PARAMS_ to URL. Any suggestions on how to fix it?
>>
>>
>>
>> Regards,
>>
>> Vinay Agarwal
>>
>> <winmail.dat>
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.ofbiz.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Free forum by Nabble Edit this page