rejetto forum

testing 2.1

rejetto · 294 · 93443

0 Members and 1 Guest are viewing this topic.

Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13304
    • View Profile
the point is not about having 50% or more users using that feature.
it is actually a sensible usability improvement.
of course it will be an option.
anyway, feature accepted.


ruudboek

  • Guest
@rejetto

I really appreciate this :D

What it your point of view on making HFS only add "username:password@" at the point that HFS is triggered to start serving a download?
That should then not make "username:password@" visible in the address bar or status bar.
Do you think that that is technically achievable?

Ruud


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13304
    • View Profile
impossibile. the link is in the page. the page is generated and displayed before you know what the user will download.


Anonymous

  • Guest
Quote from: "rejetto"
anyway, feature accepted.

If username and password is visible in plain text, you are creating a HFS security issue.  Without encryption of some sort, the information can be seen by other people while it is in transit.


ruudboek

  • Guest
Quote from: "rejetto"
impossibile. the link is in the page. the page is generated and displayed before you know what the user will download.


Is then maybe possible to add "username:password@" during the generation of the page, so that all links to files will include "username:password@"?

Ruud


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13304
    • View Profile
Quote from: "Anonymous"
Quote from: "rejetto"
anyway, feature accepted.

If username and password is visible in plain text, you are creating a HFS security issue.  Without encryption of some sort, the information can be seen by other people while it is in transit.

1. it is optional
2. many people have the computer in a room with enough privacy

usability and security are often conflicting, anyone who studied security knows it.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13304
    • View Profile
Quote from: "ruudboek"
Quote from: "rejetto"
impossibile. the link is in the page. the page is generated and displayed before you know what the user will download.

Is then maybe possible to add "username:password@" during the generation of the page, so that all links to files will include "username:password@"?

yes, that's what i meant saying "accepted"


Offline MarkV

  • Tireless poster
  • ****
    • Posts: 763
    • View Profile
@rejetto: Do you have the possibility to use obfuscation of username and password by using the "%" values? Just a thought.

All modern browsers/dl managers convert it by itself.

The most famous example for such a "%" value is the %20 which represents a space.

Makes it harder to spy passwords fast...

MarkV
http://worldipv6launch.org - The world is different now.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13304
    • View Profile
yes, it works, i tested with IE+DAP.


Offline ants

  • Occasional poster
  • *
    • Posts: 20
    • View Profile

Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13304
    • View Profile
no, been busy with my exam.
now done.
i have some maintenance to do to forum and wiki.


segosa

  • Guest
I can't find where to disable the feature whereby the username/password is embedded in the page's urls... where is it?


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13304
    • View Profile
if you are referring to what we are discussing about, it is a thing to come, there is nothing you should disable


segosa

  • Guest
If I visit the URL with the password embedded into it, for example http://user:pass@localhost, all links on the page will also have user:pass embedded into them. There's no way to disable that? Reading the past few pages it seems you've been discussing that exact feature and you said it was optional. Or do you mean that the ability to disable it is what's to come?


Offline maverick

  • Tireless poster
  • ****
    • Posts: 1052
  • Computer Solutions
    • View Profile
Quote from: "segosa"
If I visit the URL with the password embedded into it, for example http://user:pass@localhost, all links on the page will also have user:pass embedded into them. There's no way to disable that?

If you manually input that kind of url in the location field of your browser, that is the normal behavior.  If you want to stop that behavior, login properly. Using your example, login using only http://localhost as the url (with of course HFS running).  You will be prompted for username and password and they won't show up in the url.

Quote
Reading the past few pages it seems you've been discussing that exact feature and you said it was optional. Or do you mean that the ability to disable it is what's to come?

Yes, that type of scenerio has been discussed, but rejetto didn't implement it.  You didn't finish reading the thread.  It would be an optional feature, iF[/i] it was implemented.
maverick