In my Symfony project, I am using the FOS user bundle.
In my secutity.yml I have this in order to use bcrypt encoder:
security:
# FOS UserBundle needles
encoders:
Symfony\Component\Security\Core\User\User: bcrypt
MyNamespace\MyBundle\Entity\User: bcrypt
FOS\UserBundle\Model\UserInterface: bcrypt
I call the fos user registration form in an embeded form like this:
$builder
->add('contactPhone')
->add('contactMobilePhone')
->add('user', 'fos_user_registration', array(
'label' => false,
))
It renders me this for example:
But when I submit the form, I could see in the network console browser that my password are in plain text and everybody could use them.
So I can recover all datas of my POST request in the console browser:
my_form[user][email]=test@test.com
my_form[contactPhone]=0404040404
my_form[contactMobilePhone]=0606060606
my_form[user][username]=test
my_form[user][plainPassword][first]=test
// first password entry
my_form[user][plainPassword][second]=test
// verification
my_form[save]
// submit my_form[_token_consumer]=// no need to see him
You could understand That iit's not secured. I need to encode the password when I submit the form in order to not allow everybody to see them.
Note that the same thing occured when I log myself with the FOSUserBundle user login form.
Every data sent trought a http connection can be seen by someone in your route to the server (man in the middle attack).
type="password"
only hides the character on-screen, and even other programs on your computer can read the data.
The only way to protect the data is to send it trought SSL (HTTPS instead of HTTP)
I don't mean to be the bearer of bad news but this flow you are encountering is expected. I will assume, within the database that your users passwords are in fact, encrypted.
The form data itself, should not contain any type of encryption. It's once you submit the form data to the server side that the data becomes encrypted. To properly encrypt the use input, the plain values must be submitted to the server. If you did any type of 'pre-encryption', you would need to change the flow of your registration process to validate the hash and allow it to be inserted into the db, but that's not recommended.
If you are worried about somebody else using this data to make XSS attacks, then CORS/CSRF is what you'll need to set up to alleviate that problem.
Why do I say your current issue is not a problem? Well, if you go to just about any site with a registration form, and submit it, you will see the plaintext password in the request parameters as it is normal. Facebook and Google both send the plaintext password on login/registration. Why? Because it's fine and expected behavior.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.