[JDEV] new password
Greg Wong
greg.wong at plumtree.com
Fri Mar 2 16:48:33 CST 2001
Hmm...good point, but you are passing the username as well.
Unless there is some verification with the "id" that I'm unaware of, it
would be hard to pass in a different username (one that isn't yours) and
then another password, thus changing the other user's password.
Although, I guess if you really wanted to impersonate another user WITHOUT
them knowing, that would be too difficult to do either.
greg
-- I don't understand the necessity. You wouldn't
-- be having this conversation with the server in the
-- first place if you (the Jabber client) didn't
-- already provide the correct (old) password.
--
-- > -----Original Message-----
-- > From: Greg Wong [mailto:greg.wong at plumtree.com]
-- > Sent: Friday, March 02, 2001 1:46 PM
-- > To: 'jdev at jabber.org'
-- > Subject: [JDEV] new password
-- >
-- >
-- > To change password:
-- >
-- > <iq type="set" id="blahblah" to="##your_jabber_server"><query
-- > xmlns="jabber:iq:register"><username>##your_user_name</usernam
-- > e><password>##
-- > new_password</password></query></iq>
-- >
-- > Note: there is no check on the old password here.
-- > It would be good practice to make that check on the client
-- > side so as not to
-- > be able to hack into another person's account.
-- >
-- > Is there a was (server code change) to add in an
-- > <oldpassword> field as a
-- > security measure?
-- >
-- > greg
-- >
-- > _______________________________________________
-- > jdev mailing list
-- > jdev at jabber.org
-- > http://mailman.jabber.org/listinfo/jdev
More information about the JDev
mailing list