>>>> Juergen Weigert <jw@suse.de> 7/29/2010 4:09 AM >>>
>On Jul 28, 10 16:00:27 -0600, Matthew Ehle wrote:
>> Hello,
>>
>> There are two major problems with the bento theme login which will need to be fixed. Until they are, I am recommending that everyone avoid using the javascript login form and instead use the standard login page that is used by the legacy wiki.
>>
>> Issue 1: The login form sends information in plain text over plain HTTP.
>> I have actually fixed this on stage, but perhaps others would like to
>> review it to make sure that passwords aren't being sent in clear text
>> anymore. Assuming that is the case, it can go live when I run the next
>> update. So please try this out in stage (if you are able) and get back
>> to me. If one of you have WireShark installed, that would be perfect.
>Wireshark confused me today. I don't see any cleartext password with
>enstage, but I fail to verify that I have seen all TCP packets.
>Firebug tells me that the javascript dropdown login sends it to
>https://enstage.opensuse.org/ICSLogin/auth-up
>Also,
>http://enstage.opensuse.org/ICHAINLogout/?%22http://en.opensuse.org/cmd/ICSLogout%22-X
>promotes to https, before accepting my password.
>Looks good, so far.
> thanks,
> JW-
Thank you for double checking it. I just wanted to make sure that I wasn't leaving any stones unturned on this. I have moved the fix out to the production wiki about an hour ago, so that problem is resolved now.