>>>> Juergen Weigert <jw@suse.de> 7/29/2010 4:09 AM >>>
>On Jul 28, 10 16:00:27 -0600, Matthew Ehle wrote:
>> Hello,
>>
>> There are two major problems with the bento theme login which will need to be fixed.  Until they are, I am recommending that everyone avoid using the javascript login form and instead use the standard login page that is used by the legacy wiki.
>> 
>> Issue 1: The login form sends information in plain text over plain HTTP.
>> I have actually fixed this on stage, but perhaps others would like to
>> review it to make sure that passwords aren't being sent in clear text
>> anymore.  Assuming that is the case, it can go live when I run the next
>> update.  So please try this out in stage (if you are able) and get back
>> to me.  If one of you have WireShark installed, that would be perfect.

>Wireshark confused me today. I don't see any cleartext password with
>enstage, but I fail to verify that I have seen all TCP packets.

>Firebug tells me that the javascript dropdown login sends it to
>https://enstage.opensuse.org/ICSLogin/auth-up

>Also,
>http://enstage.opensuse.org/ICHAINLogout/?%22http://en.opensuse.org/cmd/ICSLogout%22-X
>promotes to https, before accepting my password.

>Looks good, so far.
>                thanks,
>                        JW-

Thank you for double checking it.  I just wanted to make sure that I wasn't leaving any stones unturned on this.  I have moved the fix out to the production wiki about an hour ago, so that problem is resolved now.
 
Work continues on the second issue.  I'll leave this one to the people who originally designed the login form, since they will be able to figure this out better than I can.  In the meantime, if you are getting session errors while working in the wiki, just use an alternate login page for now.
 
Thanks!
Matt