encoding form fields when registering user - bug or feature?

28 views
Skip to first unread message

Yebach

unread,
May 7, 2017, 5:28:38 AM5/7/17
to web2py-users
Hello

I just discovered the following behavior when user fills the user registration form

in my form i have confirm password. and in storage the following values are stored 

<Storage {'first_name': 'jest', 'last_name': 'ti', 'password_two': '1234', 'id': 193L, 'organization': 'testorgalalal', 'password': <gluon.validators.LazyCrypt object at 0x000000000BD94710>, 'email': 'test...@gmail.com'}>

as you can see the password_two is not encrypted.

In case i forgot to set the encryption I am just giving you a heads up 

Is this a bug or is it a feature? :)

best regards

Anthony

unread,
May 7, 2017, 9:11:41 AM5/7/17
to web2py-users
What do you mean by "stored"? web2py does not store password_two -- it simply compares it to the first password entry to make sure they match. Only one copy of the password is stored in db.auth_user, and it is hashed.

Anthony

Vid Ogris

unread,
May 7, 2017, 11:17:40 AM5/7/17
to web...@googlegroups.com
I ment send in storage for form variables. I know it is not stored but in case of safety this could be an issue. Or not? I might be just overreacting :)

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/I4uH3NBvlc4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Anthony

unread,
May 7, 2017, 11:17:35 PM5/7/17
to web2py-users
On Sunday, May 7, 2017 at 11:17:40 AM UTC-4, Yebach wrote:
I ment send in storage for form variables. I know it is not stored but in case of safety this could be an issue. Or not? I might be just overreacting :)

The form.vars Storage object is held only in memory, and only for the duration of the request. The password must be sent to the server and processed in memory somehow for some amount of time, otherwise it cannot be hashed with the hash stored in the database. What else would you propose?

Anthony
Reply all
Reply to author
Forward
0 new messages