testing 2.1

[rejetto]

the point is not about having 50% or more users using that feature.
it is actually a sensible usability improvement.
of course it will be an option.
anyway, feature accepted.

[ruudboek]

@rejetto

I really appreciate this

What it your point of view on making HFS only add "username:password@" at the point that HFS is triggered to start serving a download?
That should then not make "username:password@" visible in the address bar or status bar.
Do you think that that is technically achievable?

Ruud

[rejetto]

impossibile. the link is in the page. the page is generated and displayed before you know what the user will download.

[Anonymous]

anyway, feature accepted.

If username and password is visible in plain text, you are creating a HFS security issue.  Without encryption of some sort, the information can be seen by other people while it is in transit.

[ruudboek]

impossibile. the link is in the page. the page is generated and displayed before you know what the user will download.

Is then maybe possible to add "username:password@" during the generation of the page, so that all links to files will include "username:password@"?

Ruud

[rejetto]

anyway, feature accepted.

If username and password is visible in plain text, you are creating a HFS security issue.  Without encryption of some sort, the information can be seen by other people while it is in transit.

1. it is optional
2. many people have the computer in a room with enough privacy

usability and security are often conflicting, anyone who studied security knows it.

[rejetto]

impossibile. the link is in the page. the page is generated and displayed before you know what the user will download.

Is then maybe possible to add "username:password@" during the generation of the page, so that all links to files will include "username:password@"?

yes, that's what i meant saying "accepted"

[MarkV]

@rejetto: Do you have the possibility to use obfuscation of username and password by using the "%" values? Just a thought.

All modern browsers/dl managers convert it by itself.

The most famous example for such a "%" value is the %20 which represents a space.

Makes it harder to spy passwords fast...

MarkV

[rejetto]

yes, it works, i tested with IE+DAP.

[ants]

Any progress news Rejetto?

[rejetto]

no, been busy with my exam.
now done.
i have some maintenance to do to forum and wiki.

[segosa]

I can't find where to disable the feature whereby the username/password is embedded in the page's urls... where is it?

[rejetto]

if you are referring to what we are discussing about, it is a thing to come, there is nothing you should disable

[segosa]

If I visit the URL with the password embedded into it, for example http://user:pass@localhost, all links on the page will also have user:pass embedded into them. There's no way to disable that? Reading the past few pages it seems you've been discussing that exact feature and you said it was optional. Or do you mean that the ability to disable it is what's to come?

[maverick]

If I visit the URL with the password embedded into it, for example http://user:pass@localhost, all links on the page will also have user:pass embedded into them. There's no way to disable that?

If you manually input that kind of url in the location field of your browser, that is the normal behavior.  If you want to stop that behavior, login properly. Using your example, login using only http://localhost as the url (with of course HFS running).  You will be prompted for username and password and they won't show up in the url.

Reading the past few pages it seems you've been discussing that exact feature and you said it was optional. Or do you mean that the ability to disable it is what's to come?

Yes, that type of scenerio has been discussed, but rejetto didn't implement it.  You didn't finish reading the thread.  It would be an optional feature, iF[/i] it was implemented.