Can it be changed so that it remembers both my userid and password, or just my password? I usually remember who I am! -- Regards, Graham Chiu gchiu<at>compkarori.co.nz http://www.compkarori.co.nz/index.php Powered by Interbase and Zope
Graham Chiu wrote:
Can it be changed so that it remembers both my userid and password, or just my password? I usually remember who I am!
This is certainly true. Unfortunately, Microsoft has made it so that anyone with a modicum of javascript skills can read *all* your cookies (if you use IE on Windows): http://slashdot.org/article.pl?sid=00/05/11/173257&mode=nested Now, there may not be hugely deletrious effects resulting from this, but until cookies are handled in a sane manner, it's probably inappropriate for us to be putting the password there. If you're using IE 5 or Mozilla (NS 6) you can always tell it to remember what you've entered into the password field. Thanks, ~ethan fremen @ digicool & imeme
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <3929561C.2FB5086E@imeme.net>, mindlace <mindlace@imeme.net> writes
Graham Chiu wrote:
Can it be changed so that it remembers both my userid and password, or just my password? I usually remember who I am!
This is certainly true. Unfortunately, Microsoft has made it so that anyone with a modicum of javascript skills can read *all* your cookies (if you use IE on Windows):
http://slashdot.org/article.pl?sid=00/05/11/173257&mode=nested
I went there, clicked on the buttons, and got DNS errors.
Now, there may not be hugely deletrious effects resulting from this, but until cookies are handled in a sane manner, it's probably inappropriate for us to be putting the password there.
Well, you only have to save one half of a pair. I would prefer you save the password. The username I can remember :-)
If you're using IE 5 or Mozilla (NS 6) you can always tell it to remember what you've entered into the password field.
Doesn't offer to save it for me on IE5. If it did, I wouldn't be asking. - -- Regards, Graham Chiu gchiu<at>compkarori.co.nz http://www.compkarori.co.nz/index.php Powered by Interbase and Zope -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOSjvJ7TRdIWzaLpMEQLrpQCfZlQdZL7324hKZyuf9qIURHPvpUEAn00B HZkzbNpdbEWRpfNRXms34cVw =WSqE -----END PGP SIGNATURE-----
Graham Chiu wrote:
I went there, clicked on the buttons, and got DNS errors.
This link should show you all the cookies you have at www.zope.org: http://www.securityspace.com%2fexploit%2fexploit_1b.html%3fdomain==.www.zope...
Well, you only have to save one half of a pair. I would prefer you save the password. The username I can remember :-)
Your username is publicly accessable from zope.org. With your password, if there's any way I can inferr your username- let's say the webmaster grabbed the information while you were posting a comment on zopeisevil.org- they can now do whatever you could do. More to the point, with redirection and javascript, they can even make you do it. For zope.org membership as it is today, all they could do is besmirch your good name in the community. In the future, as the things a zope member can do expands, it could mess up more. I will, however, look into other possibilities, like maybe your password could be filled in server side, if some appropriate check can be made. If you like, drop this issue in the Tracker, http://www.zope.org/Tracker , so that you'll be updated when its status changes.
If you're using IE 5 or Mozilla (NS 6) you can always tell it to remember what you've entered into the password field.
Doesn't offer to save it for me on IE5. If it did, I wouldn't be asking.
Hmm. It harasses me about it all the time. Perhaps I'm using IE 5.5 (can't remember, I'm back in linux.) ~ethan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <39297D24.A6A7797F@imeme.net>, mindlace <mindlace@imeme.net> writes
This link should show you all the cookies you have at www.zope.org:
http://www.securityspace.com%2fexploit%2fexploit_1b.html%3fdomain==.www.zope... /#exploit_1
Interesting. I run a Javascript free site anyway :-)
I will, however, look into other possibilities, like maybe your password could be filled in server side, if some appropriate check can be made.
That's what I do. I store the userid and a sessionid in the user's cookie cache as a permanent (optional) cookie, and if they both match with what I have saved server side, then I display the userid and password which has also been stored server side. Obviously this is also vulnerable :-( - -- Regards, Graham Chiu gchiu<at>compkarori.co.nz http://www.compkarori.co.nz/index.php Powered by Interbase and Zope -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOSlKLbTRdIWzaLpMEQKsAQCcCDyUGBbH4iSP95kWtTW+JX5CrtkAoP3d 3QBPS4irbCnFOl442OgJgboG =EJJM -----END PGP SIGNATURE-----
participants (2)
-
Graham Chiu -
mindlace