eien86
He/Him
Judge, Skilled player (1881)
Joined: 3/21/2021
Posts: 262
Location: Switzerland
Just letting you know that you can trigger an error when logging in, if you change the value of "RememberMe" after clicking "log in". This sends both values which triggers an error. This happened to me on Android+Chrome What's concerning to me, though, is that the form returns with all credentials as plain text. This means the pass went to the server and back without any type of obfuscation. Pretty sure this isn't too safe.
Masterjun
He/Him
Site Developer, Expert player (2047)
Joined: 10/12/2010
Posts: 1185
Location: Germany
eien86 wrote:
What's concerning to me, though, is that the form returns with all credentials as plain text. This means the pass went to the server and back without any type of obfuscation. Pretty sure this isn't too safe.
That's not quite correct. As long as you're using HTTPS (which we and most pages are), nothing is sent as plain text. This is how every safe site that uses a Username+Password login works. The form data being shown to you is meant as a recovery option. With this 400 error the server denied your request due to bad caching on your browser's part. The idea of it being due to the "Remember me" option is just a coincidence in this case. (The reason you see it sending both "true" and "false" is due to how HTML checkboxes work with ASP.NET. Because an unchecked box will send nothing, not even false, the framework inserts a hidden input field that is always false. This way it always sends "false" no matter what, and then also appends "true" if the actual checkbox is checked.) If you're still concerned about security, our whole source code is open source and available on GitHub here: https://github.com/TASVideos/tasvideos , or by clicking the site version number at the bottom of each page. We're using Razor Pages with the default ASP.NET Microsoft.AspNetCore.Identity sign in method. ( https://github.com/TASVideos/tasvideos/blob/7efe9e5edf8999b15051fdbba765eb14bef77d6f/TASVideos.Core/Services/SignInManager.cs )
Warning: Might glitch to credits I will finish this ACE soon as possible (or will I?)
eien86
He/Him
Judge, Skilled player (1881)
Joined: 3/21/2021
Posts: 262
Location: Switzerland
Alrighty, thanks for the clarification. I just had to make sure :)