Page 1 of 1

is it necessary to NOT put submitted password in value attr

Posted: Tue Jul 17, 2007 10:17 pm
by Luke
I have always just taken it as law that you aren't supposed to echo out the POSTed password back into the password element's value attribute like you do other elements when validating data. I read that it's a bad idea way back in the day because it puts it in plain text in the html. But when I really think about it... why is that bad? It's already being sent via plain text... what's the difference? If you're not sure what I'm talking about... I'm talking about this...

Code: Select all

<input type="password" name="password" value="<?php echo htmlentities($password); ?>" />

Posted: Tue Jul 17, 2007 11:02 pm
by Benjamin
Probably because it can get cached and live a long time someplace.

Posted: Wed Jul 18, 2007 5:01 am
by Oren
Yeah, NOT putting it is a good idea in my opinion.

Posted: Wed Jul 18, 2007 10:35 am
by Luke
but why? that is what I'm getting at... it's always been said that it's "not a good idea"... but that isn't good enough for me. I want a reason.

Posted: Wed Jul 18, 2007 11:01 am
by pickle
Caching is a good reason. Sure the password may be sent in plaintext, but that's just for a moment. Cached stuff, as we all know, can stick around for a lot longer.

Even if the page is submitted in plaintext, why double the chance it'll be intercepted on the wire & send it back to the client?

Also, what if the user is accessing a secure page? Then the password won't have been submitted in plaintext & by putting it in the source, you're opening up a hole.

Finally, more often than not, the password is mistyped anyway. If the password field isn't filled, the user can easily put their cursor in the field & start typing again. If the password was entered in that field, there's no way they can see where they mistyped, so they'll have to delete it anyway. Only in cases where a user mistypes their username (which is extremely rare in my experience), is it beneficial to the user to have the password field filled in.

Posted: Mon Jul 23, 2007 2:36 pm
by Luke
Only in cases where a user mistypes their username (which is extremely rare in my experience), is it beneficial to the user to have the password field filled in.
I wouldn't ever want / need to echo back the password into the password field if it was just a login... this is for a "register for an account" form.

You do make several good points though. Thanks pickle.

Posted: Mon Jul 23, 2007 2:45 pm
by superdezign
Hehe, this thread made me modify my form handler class. :-p I didn't even consider that it was actually going to be written in the HTML.

Posted: Mon Jul 23, 2007 3:11 pm
by The Phoenix
The Ninja Space Goat wrote:but why? that is what I'm getting at... it's always been said that it's "not a good idea"... but that isn't good enough for me. I want a reason.
Because you are sending a password in cleartext, allowing anyone with a sniffer on the network to read that password.

In fact, you shouldn't even have the password in cleartext to *offer* back to the user. If you do, that means either they sent it to you in cleartext (bad), or you stored it in cleartext (very bad).