FOSUserBundle, password (plainPassword) are not encrypted on submit POST form

Question

In my Symfony project, I am using the FOS user bundle.

In my secutity.yml I have this in order to use bcrypt encoder:

security:
    # FOS UserBundle needles
    encoders:
        Symfony\Component\Security\Core\User\User: bcrypt
        MyNamespace\MyBundle\Entity\User: bcrypt
        FOS\UserBundle\Model\UserInterface: bcrypt

I call the fos user registration form in an embeded form like this:

$builder
  ->add('contactPhone')
  ->add('contactMobilePhone')
  ->add('user', 'fos_user_registration', array(
                                               'label' => false,
      ))

It renders me this for example:

But when I submit the form, I could see in the network console browser that my password are in plain text and everybody could use them.

So I can recover all datas of my POST request in the console browser:

my_form[user][email]=test@test.com

my_form[contactPhone]=0404040404

my_form[contactMobilePhone]=0606060606

my_form[user][username]=test

my_form[user][plainPassword][first]=test // first password entry

my_form[user][plainPassword][second]=test // verification

my_form[save] // submit my_form[_token_consumer]=// no need to see him

You could understand That iit's not secured. I need to encode the password when I submit the form in order to not allow everybody to see them.

Note that the same thing occured when I log myself with the FOSUserBundle user login form.

Answer 1

Every data sent trought a http connection can be seen by someone in your route to the server (man in the middle attack).

type="password" only hides the character on-screen, and even other programs on your computer can read the data.

The only way to protect the data is to send it trought SSL (HTTPS instead of HTTP)

Answer 2

I don't mean to be the bearer of bad news but this flow you are encountering is expected. I will assume, within the database that your users passwords are in fact, encrypted.

The form data itself, should not contain any type of encryption. It's once you submit the form data to the server side that the data becomes encrypted. To properly encrypt the use input, the plain values must be submitted to the server. If you did any type of 'pre-encryption', you would need to change the flow of your registration process to validate the hash and allow it to be inserted into the db, but that's not recommended.

If you are worried about somebody else using this data to make XSS attacks, then CORS/CSRF is what you'll need to set up to alleviate that problem.

Why do I say your current issue is not a problem? Well, if you go to just about any site with a registration form, and submit it, you will see the plaintext password in the request parameters as it is normal. Facebook and Google both send the plaintext password on login/registration. Why? Because it's fine and expected behavior.