[JDEV] new password

Todd Bradley TBradley at jabber.com
Fri Mar 2 17:19:22 CST 2001 

So what you're saying is that the <username> is
redundant information in the case where you're
sending a password change.  I agree 100%.

> -----Original Message-----
> From: Greg Wong [mailto:greg.wong at plumtree.com]
> Sent: Friday, March 02, 2001 3:49 PM
> To: 'jdev at jabber.org'
> Subject: RE: [JDEV] new password
> 
> 
> Hmm...good point, but you are passing the username as well.
> Unless there is some verification with the "id" that I'm 
> unaware of, it
> would be hard to pass in a different username (one that isn't 
> yours) and
> then another password, thus changing the other user's password. 
> 
> Although, I guess if you really wanted to impersonate another 
> user WITHOUT
> them knowing, that would be too difficult to do either.
> 
> greg
> 
> -- I don't understand the necessity.  You wouldn't
> -- be having this conversation with the server in the
> -- first place if you (the Jabber client) didn't 
> -- already provide the correct (old) password.
> -- 
> -- > -----Original Message-----
> -- > From: Greg Wong [mailto:greg.wong at plumtree.com]
> -- > Sent: Friday, March 02, 2001 1:46 PM
> -- > To: 'jdev at jabber.org'
> -- > Subject: [JDEV] new password
> -- > 
> -- > 
> -- > To change password:
> -- > 
> -- > <iq type="set" id="blahblah" to="##your_jabber_server"><query
> -- > xmlns="jabber:iq:register"><username>##your_user_name</usernam
> -- > e><password>##
> -- > new_password</password></query></iq>
> -- > 
> -- > Note: there is no check on the old password here.
> -- > It would be good practice to make that check on the client 
> -- > side so as not to
> -- > be able to hack into another person's account.
> -- > 
> -- > Is there a was (server code change) to add in an 
> -- > <oldpassword> field as a
> -- > security measure?
> -- > 
> -- > greg
> -- > 
> -- > _______________________________________________
> -- > jdev mailing list
> -- > jdev at jabber.org
> -- > http://mailman.jabber.org/listinfo/jdev
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
>

More information about the JDev mailing list