Getting sessions password

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting sessions password

MikSan
How Do I get a session password?
I can get the username but not the password
Reply | Threaded
Open this post in threaded view
|

Re: Getting sessions password

Tiago Rinck Caveden
On Mon, Jul 21, 2008 at 12:40 PM, MikSan <[hidden email]> wrote:

>
> How Do I get a session password?
> I can get the username but not the password



I don't believe you should ever be able to do it, passwords are supposed to
be confidential.
Allowing to retrieve them somehow already shows that the system stores the
password as plain text instead of their hashes, what is a flaw IMHO.

Best regards,
--
Tiago Rinck Caveden
http://caveden.multiply.com
_______________________________________________
devs mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/devs
Tiago Rinck Caveden
http://caveden.multiply.com
Reply | Threaded
Open this post in threaded view
|

Re: Getting sessions password

MikSan

So there is now way i can retrive the password ?
Tiago Rinck Caveden wrote
On Mon, Jul 21, 2008 at 12:40 PM, MikSan <scan@netvisao.pt> wrote:

>
> How Do I get a session password?
> I can get the username but not the password



I don't believe you should ever be able to do it, passwords are supposed to
be confidential.
Allowing to retrieve them somehow already shows that the system stores the
password as plain text instead of their hashes, what is a flaw IMHO.

Best regards,
--
Tiago Rinck Caveden
http://caveden.multiply.com
_______________________________________________
devs mailing list
devs@xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Reply | Threaded
Open this post in threaded view
|

Re: Getting sessions password

vmassol
Administrator

On Jul 21, 2008, at 2:45 PM, MikSan wrote:

>
>
> So there is now way i can retrive the password ?

No. And that's a feature! :)

What you can do is reset it though.
See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/User+Management

-Vincent

> Tiago Rinck Caveden wrote:
>>
>> On Mon, Jul 21, 2008 at 12:40 PM, MikSan <[hidden email]> wrote:
>>
>>>
>>> How Do I get a session password?
>>> I can get the username but not the password
>>
>>
>>
>> I don't believe you should ever be able to do it, passwords are  
>> supposed
>> to
>> be confidential.
>> Allowing to retrieve them somehow already shows that the system  
>> stores the
>> password as plain text instead of their hashes, what is a flaw IMHO.
>>
>> Best regards,
>> --
>> Tiago Rinck Caveden
>> http://caveden.multiply.com
_______________________________________________
devs mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/devs
Reply | Threaded
Open this post in threaded view
|

Re: Getting sessions password

Tiago Rinck Caveden
In reply to this post by MikSan
On Mon, Jul 21, 2008 at 2:45 PM, MikSan <[hidden email]> wrote:

> So there is now way i can retrive the password ?


I don't really know, but I hope not. :-P
You shouldn't be able to do it.

--
Tiago Rinck Caveden
http://caveden.multiply.com
_______________________________________________
devs mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/devs
Tiago Rinck Caveden
http://caveden.multiply.com
Reply | Threaded
Open this post in threaded view
|

Re: Getting sessions password

Tiago Rinck Caveden
In reply to this post by vmassol
By the way, recently I created my account on XWiki JIRA and it mailed me my
password in plain text, saying I could retrieve it at any moment again if I
wanted.
I didn't like that, it kind of showed me my password was being stored as
plain text...

Is this an issue of JIRA itself or some configuration of XWiki's JIRA? If
you can do anything to change it in your configuration, well, I don't know
if I can vote for such a thing, but here goes my +1. ;-)

If it's an issue of the JIRA platform and it can't be different, then maybe
putting some warnings as you do for the mailing list password? It would be
nice...

Best regards,
Tiago.

On Mon, Jul 21, 2008 at 2:51 PM, Vincent Massol <[hidden email]> wrote:

>
> On Jul 21, 2008, at 2:45 PM, MikSan wrote:
>
> >
> >
> > So there is now way i can retrive the password ?
>
> No. And that's a feature! :)
>
> What you can do is reset it though.
> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/User+Management
>
> -Vincent
>
> > Tiago Rinck Caveden wrote:
> >>
> >> On Mon, Jul 21, 2008 at 12:40 PM, MikSan <[hidden email]> wrote:
> >>
> >>>
> >>> How Do I get a session password?
> >>> I can get the username but not the password
> >>
> >>
> >>
> >> I don't believe you should ever be able to do it, passwords are
> >> supposed
> >> to
> >> be confidential.
> >> Allowing to retrieve them somehow already shows that the system
> >> stores the
> >> password as plain text instead of their hashes, what is a flaw IMHO.
> >>
> >> Best regards,
> >> --
> >> Tiago Rinck Caveden
> >> http://caveden.multiply.com
> _______________________________________________
> devs mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/devs
>



--
Tiago Rinck Caveden
http://caveden.multiply.com
_______________________________________________
devs mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/devs
Tiago Rinck Caveden
http://caveden.multiply.com
Reply | Threaded
Open this post in threaded view
|

Re: Getting sessions password

vmassol
Administrator

On Jul 21, 2008, at 3:01 PM, Tiago Rinck Caveden wrote:

> By the way, recently I created my account on XWiki JIRA and it  
> mailed me my
> password in plain text, saying I could retrieve it at any moment  
> again if I
> wanted.
> I didn't like that, it kind of showed me my password was being  
> stored as
> plain text...
>
> Is this an issue of JIRA itself or some configuration of XWiki's  
> JIRA? If
> you can do anything to change it in your configuration, well, I  
> don't know
> if I can vote for such a thing, but here goes my +1. ;-)

No idea. Let us know if you find the answer.

Thanks
-Vincent

> If it's an issue of the JIRA platform and it can't be different,  
> then maybe
> putting some warnings as you do for the mailing list password? It  
> would be
> nice...
>
> Best regards,
> Tiago.
>
> On Mon, Jul 21, 2008 at 2:51 PM, Vincent Massol <[hidden email]>  
> wrote:
>
>>
>> On Jul 21, 2008, at 2:45 PM, MikSan wrote:
>>
>>>
>>>
>>> So there is now way i can retrive the password ?
>>
>> No. And that's a feature! :)
>>
>> What you can do is reset it though.
>> See http://platform.xwiki.org/xwiki/bin/view/AdminGuide/User+Management
>>
>> -Vincent
>>
>>> Tiago Rinck Caveden wrote:
>>>>
>>>> On Mon, Jul 21, 2008 at 12:40 PM, MikSan <[hidden email]> wrote:
>>>>
>>>>>
>>>>> How Do I get a session password?
>>>>> I can get the username but not the password
>>>>
>>>>
>>>>
>>>> I don't believe you should ever be able to do it, passwords are
>>>> supposed
>>>> to
>>>> be confidential.
>>>> Allowing to retrieve them somehow already shows that the system
>>>> stores the
>>>> password as plain text instead of their hashes, what is a flaw  
>>>> IMHO.
>>>>
>>>> Best regards,
>>>> --
>>>> Tiago Rinck Caveden
>>>> http://caveden.multiply.com
_______________________________________________
devs mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/devs
Reply | Threaded
Open this post in threaded view
|

Re: Getting sessions password

Markus Lanthaler
In reply to this post by Tiago Rinck Caveden
Actually you can get the session password with the PersistentLoginManager
(if I understand the term "session password" right):

this.persistentLoginManager.getRememberedPassword(request, response);

I posted this "flaw" already last week on the mailing list but got no
answer. The password is stored in the (session) cookie and can be retrieved
at any time.



----- Original Message -----
From: "Tiago Rinck Caveden" <[hidden email]>
To: "XWiki Developers" <[hidden email]>
Sent: Monday, July 21, 2008 2:52 PM
Subject: [gsoc] Re: [xwiki-devs] Getting sessions password


> On Mon, Jul 21, 2008 at 2:45 PM, MikSan <[hidden email]> wrote:
>
>> So there is now way i can retrive the password ?
>
>
> I don't really know, but I hope not. :-P
> You shouldn't be able to do it.
>
> --
> Tiago Rinck Caveden
> http://caveden.multiply.com
> _______________________________________________
> devs mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/devs 

_______________________________________________
devs mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/devs