[opensuse-wiki] Bento Login Form Problems
Hello, There are two major problems with the bento theme login which will need to be fixed. Until they are, I am recommending that everyone avoid using the javascript login form and instead use the standard login page that is used by the legacy wiki. Issue 1: The login form sends information in plain text over plain HTTP. I have actually fixed this on stage, but perhaps others would like to review it to make sure that passwords aren't being sent in clear text anymore. Assuming that is the case, it can go live when I run the next update. So please try this out in stage (if you are able) and get back to me. If one of you have WireShark installed, that would be perfect. Issue 2: As far as I can tell, this login form is the reason behind Bug 619735. After a lot of testing and troubleshooting in stage, this is the most likely culprit so far. Basically, I can duplicate the problem easily when using the bento login form, but I cannot duplicate at all using the standard login page. It looks like the cookie is not set properly when using this login, although I can't see any apparent reason why that is. Strangely enough, submitting an edit does set the cookie, which is why only the first edit fails. Please test out the fix for the first issue, and see what might be causing the second. Until then, the best workaround is to use the standard login form. Thanks! Matt
On Jul 28, 10 16:00:27 -0600, Matthew Ehle wrote:
Hello,
There are two major problems with the bento theme login which will need to be fixed. Until they are, I am recommending that everyone avoid using the javascript login form and instead use the standard login page that is used by the legacy wiki.
Issue 1: The login form sends information in plain text over plain HTTP. I have actually fixed this on stage, but perhaps others would like to review it to make sure that passwords aren't being sent in clear text anymore. Assuming that is the case, it can go live when I run the next update. So please try this out in stage (if you are able) and get back to me. If one of you have WireShark installed, that would be perfect.
Wireshark confused me today. I don't see any cleartext password with enstage, but I fail to verify that I have seen all TCP packets. Firebug tells me that the javascript dropdown login sends it to https://enstage.opensuse.org/ICSLogin/auth-up Also, http://enstage.opensuse.org/ICHAINLogout/?%22http://en.opensuse.org/cmd/ICSL... promotes to https, before accepting my password. Looks good, so far. thanks, JW- -- o \ Juergen Weigert paint it green! __/ _=======.=======_ <V> | jw@suse.de back to ascii! __/ _---|____________\/ \ | 0911 74053-508 __/ (____/ /\ (/) | _____________________________/ _/ \_ vim:set sw=2 wm=8 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) "Why would it be stupid to assume that a file can continue to be accessed by the same name in the future?" Brion Vibber bwmo#15842#c12 -- To unsubscribe, e-mail: opensuse-wiki+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-wiki+help@opensuse.org
Juergen Weigert
7/29/2010 4:09 AM >>> On Jul 28, 10 16:00:27 -0600, Matthew Ehle wrote: Hello, There are two major problems with the bento theme login which will need to be fixed. Until they are, I am recommending that everyone avoid using the javascript login form and instead use the standard login page that is used by the legacy wiki.
Issue 1: The login form sends information in plain text over plain HTTP. I have actually fixed this on stage, but perhaps others would like to review it to make sure that passwords aren't being sent in clear text anymore. Assuming that is the case, it can go live when I run the next update. So please try this out in stage (if you are able) and get back to me. If one of you have WireShark installed, that would be perfect.
Wireshark confused me today. I don't see any cleartext password with enstage, but I fail to verify that I have seen all TCP packets.
Firebug tells me that the javascript dropdown login sends it to https://enstage.opensuse.org/ICSLogin/auth-up
Also, http://enstage.opensuse.org/ICHAINLogout/?%22http://en.opensuse.org/cmd/ICSL... promotes to https, before accepting my password.
Looks good, so far. thanks, JW-
Thank you for double checking it. I just wanted to make sure that I wasn't leaving any stones unturned on this. I have moved the fix out to the production wiki about an hour ago, so that problem is resolved now. Work continues on the second issue. I'll leave this one to the people who originally designed the login form, since they will be able to figure this out better than I can. In the meantime, if you are getting session errors while working in the wiki, just use an alternate login page for now. Thanks! Matt
On Jul 29, 10 10:07:32 -0600, Matthew Ehle wrote:
Juergen Weigert
7/29/2010 4:09 AM >>> Looks good, so far. Thank you for double checking it. I just wanted to make sure that I wasn't leaving any stones unturned on this. I have moved the fix out to the production wiki about an hour ago, so that problem is resolved now.
The javascript thing just forwarded me to https://wiki.opensuse.org/ICSLogin/auth-up no matter if I enter correct or wrong values there. At https://wiki.opensuse.org/ICSLogin/auth-up I see a strange message Possible Phishing attempt!" /> Above the login field. The source has this: value="..." should see some proper escaping. cheers, JW- -- o \ Juergen Weigert paint it green! __/ _=======.=======_ <V> | jw@suse.de back to ascii! __/ _---|____________\/ \ | 0911 74053-508 __/ (____/ /\ (/) | _____________________________/ _/ \_ vim:set sw=2 wm=8 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) "Why would it be stupid to assume that a file can continue to be accessed by the same name in the future?" Brion Vibber bwmo#15842#c12 -- To unsubscribe, e-mail: opensuse-wiki+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-wiki+help@opensuse.org
On 30.07.2010 11:51, Juergen Weigert wrote:
On Jul 29, 10 10:07:32 -0600, Matthew Ehle wrote:
Juergen Weigert
7/29/2010 4:09 AM >>> Looks good, so far. Thank you for double checking it. I just wanted to make sure that I wasn't leaving any stones unturned on this. I have moved the fix out to the production wiki about an hour ago, so that problem is resolved now.
The javascript thing just forwarded me to https://wiki.opensuse.org/ICSLogin/auth-up no matter if I enter correct or wrong values there.
At https://wiki.opensuse.org/ICSLogin/auth-up I see a strange message
Possible Phishing attempt!" />
Above the login field. The source has this:
value="..." should see some proper escaping.
The page is generated by ichain, so please report errors in it to Novell ;-) I think I fixed the cause of this error: We tried to redirect to https://en.opensuse.org/... after login, which was wrong. This should be fixed with the next deployment. Greetings -- Thomas Schmidt (tschmidt [at] suse.de) SUSE Linux Products GmbH :: Research & Development :: Tools "Don't Panic", Douglas Adams (1952 - 11.05.2001) -- To unsubscribe, e-mail: opensuse-wiki+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-wiki+help@opensuse.org
participants (3)
-
Juergen Weigert
-
Matthew Ehle
-
Thomas Schmidt