c# - Should Password fields retain their values if a form does not pass validation? -


i have typical sign-up form 2 password fields.

<form>     <%= html.textbox("email", null) %>      <%= html.password("password", null) %>     <%= html.password("confirmpassword", null) %>      <input type='submit' /> </form>

if form fails validation , redisplayed, text field retains value password fields blank.

why shouldn't password fields retain values? , more importantly, there reason shouldn't override behavior?

i feel behavior decreases usability, , prefer password fields behave same way textbox fields -- keeping entered value when validation errors exist.

i'm using asp.net mvc, question pertains more usability , security. understand i'm seeing expected behavior, , taking @ password(...) method shows me explicitly ignores value in modelstate.

you can send value on regular input type=password field.

however, if using .net input control, clear contents of value prior sending html client.

the reason simple: wanted limit number of times in password sent , forth between server , browser. helps limit exposure systems.(link)

now, obviously, if using ssl isn't of consideration. unforunately vast majority of sites out there still don't use ssl , happily send data , forth in clear. more times field travels between client , server, more opportunities has of grabbing ala firesheep.

bear in mind, isn't listening in on whole conversation won't first post. however, consider simple option limit (not eliminate) attack surface.

the next reason every time sites show password field user after submit, it's because validation didn't pass. mean username and/or password incorrect. considering password fields display asterisks or dots user, there's no real reason give them.

given never want tell user of credentials failed (ie: not want "password invalid" or "username invalid") , common users have no way of figuring out whether fat fingered entry, it's better imho clear both.

all of aside, have choice here. standard blank it. considering way vast majority of sites work, want go against grain? personally, find better off sticking ui standards when disagree them.

users have hard enough time different options available.


Comments

Post a Comment

Popular posts from this blog

c# - SharpSVN - How to get the previous revision? -

i trying find efficient way previous revision of file text comparison using sharpsvn. using (svnclient c = new svnclient()) { c.authentication.defaultcredentials = new networkcredential( configurationmanager.appsettings.get("svnserviceusername") , configurationmanager.appsettings.get("svnservicepassword") , configurationmanager.appsettings.get("svnservicedomain") ); c.authentication.sslservertrusthandlers += new eventhandler<svnsslservertrusteventargs>(authentication_sslservertrusthandlers); collection<svnfileversioneventargs> fileversioncollection = new collection<svnfileversioneventargs>(); svnrevisionrange range = new svnrevisionrange(0, this.hooks.revision); svnfileversionsargs args = new svnfileversionsargs(); args.retrieveproperties = true; args.range = range; foreach (svnchangeitem item in log.changedpaths) { string path = this.repositorypath + it...
Read more

c++ - Is it possible to compile a VST on linux? -

for class project i'm attempting write vst plugin backed cuda. current cuda workflow on linux box, i'd prefer compile , link there. according wikipedia , should possible (i couldn't find steinberg documentation relevant linux) can't find makefile or instructions on how build if aren't using xcode or visual studio. i'm vst 3 sdk doesn't support linux. when try compile plugin under linux, error: ./base/source/fatomic.cpp:39:30: fatal error: libkern/osatomic.h: no such file or directory this issue caused following code in "vst3 sdk/base/source/fatomic.cpp" #if mac #include <libkern/osatomic.h> #if mac_os_x_version_min_required > mac_os_x_version_10_4 #define native_atomic_type (volatile int32_t*) #else #define native_atomic_type (int32_t*) #endif #elif windows #include <windows.h> #endif but hope compiling under linux work vst sdk 2.4. reading. jvstwrapper seems run on lin...
Read more

url - Querystring manipulation of email Address in PHP -

i using third party application (email2http) send me emailid, body , message. unable retrieve email id due name appended on , enclosed < , >. here querystring getting. test.php?from=ajay+reddy &subject=cx&body=somebody when print variable in php returns name , not email id. $from = $_get['from']; echo $from; //output ajay reddy please suggest me how can emailid also. i dont want use post method due testing , debugging. it's working fine. forgot use htmlentities() in debugging.
Read more