[Kimchi-devel] [PATCH] Avoid show user/password in url browser

[Aline Manera]

On 01/10/2015 13:51, Lucio Correia wrote:
> Hi Rodrigo, is this a fix for issue #714?
>

Yeap! Thank, Lucio! I've just closed the issue.

> On 09/01/2015 03:13 PM, Rodrigo Trujillo wrote:
>> There is a remote, but real, possibility that kimchi.min.js breaks and
>> is not loaded for some reason in Kimchi login page. If this happen, the
>> form submmit action is not going to be binded to a javascript function
>> that calls a AJAX POST request. Then the browser is going to submmit the
>> form in the default way: using a GET request. GET requests add form data
>> in the URL, so user will be able to see the user and password in the URL
>> field and in the log:
>>
>> "GET /login.html?username=321&password=234 HTTP/1.0" 200 2936
>> "https://localhost:8001/login.html" "Mozilla/5.0 (X11; Fedora; Linux
>> x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
>>
>> This patch fixes this problem adding 'method="post"' in the login html
>> form.
>>
>> Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo at linux.vnet.ibm.com>
>> ---
>>   ui/pages/login.html.tmpl | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl
>> index e2f6855..55848b4 100644
>> --- a/ui/pages/login.html.tmpl
>> +++ b/ui/pages/login.html.tmpl
>> @@ -79,7 +79,7 @@
>>           <div id="messUserPass" class="err-mess" style="display: 
>> none;">$_("The username or password you entered is incorrect. Please 
>> try again.")</div>
>>           <div id="messSession" class="err-mess" style="display: 
>> none;">$_("Session timeout, please re-login.")</div>
>>       </div>
>> -    <form id="form-login" class="login-panel">
>> +    <form id="form-login" class="login-panel" method="post">
>>           <div class="row">
>>               <input type="text" id="username" name="username" 
>> required="required" placeholder="$_("User Name")" autofocus/>
>>               <div id="username-msg" class="msg-required"></div>
>>
>
>