[SM-DEVEL] All-caps passwords: patch to login.php

[Ted B. <ted...@mo...>]

I administer a Squirrelmail server with 60 users, many of whose caps lock 
keys are permanently soldered to the ON position. :) To improve usability, 
I've modified /src/login.php to check the username and password fields 
prior to form submission, using Javascript.

If either field is all caps, an OK/Cancel dialog prompts the user to 
convert that field to lowercase.  If the user clicks Cancel, the field will 
remain in all caps.  If JavaScript is disabled, the form will submit 
normally.  The use of this code at all can be toggled by setting 
$login_uppercase_prompt in /config/config.php .

I had a terrific discussion with Erin Schnabel and Rick Castello tonight 
about this patch, in #squirrelmail on sterling.freenode.net.  Erin and Rick 
both disagreed philosophically with this feature.  To my understanding, 
they feel code should never alter a user's password, for fear that the user 
will think his password is being handled insecurely.  Alternatively, they 
said users with stuck caps lock keys should be assigned all caps passwords. :)

Following is a patch for /src/login.php against 1.2.11.  You will need to 
add "$login_uppercase_prompt = true" to /config/config.php or the top of 
/src/login.php for this to work.

This is my first patch, so hopefully it's in the right format.  FWIW, I 
copied login.php to login_old.php before making changes.

If this passes muster, I'd like this to appear as a plugin, under the 
"Logging in" section.

diff -u login_old.php login.php
--- login_old.php       Wed Mar 12 23:34:17 2003
+++ login.php   Wed Mar 12 23:37:54 2003
@@ -102,6 +102,21 @@
            "  }\n".
            "// -->\n".
            "</script>\n";
+
+if ($login_uppercase_prompt) {
+    $header .=
+    '<script type="text/javascript">
+    function check_caps(field_name, field_obj) {
+        if (field_obj.value == field_obj.value.toUpperCase()) {
+            if (confirm("Your " + field_name + " is in ALL CAPS.  Should 
it be lowercase instead?")) {
+                field_obj.value = field_obj.value.toLowerCase();
+            }
+        }
+        return true;
+    }'.
+    "\n</script>\n";
+}
+
  $custom_css = 'none';
  displayHtmlHeader( "$org_name - " . _("Login"), $header, FALSE );

@@ -157,7 +172,10 @@
       "      </TR>\n".
       "   </TABLE></TD></TR>\n".
       "   <TR><TD>\n".
-     '      <CENTER><INPUT TYPE=SUBMIT VALUE="' . _("Login") . 
"\"></CENTER>\n".
+     '      <CENTER><INPUT TYPE=SUBMIT VALUE="' . _("Login") . '"'.
+     ( $login_uppercase_prompt ? " ONCLICK=\"check_caps('username', 
$username_form_name);".
+         "check_caps('password', $password_form_name)\"" : '' ) .
+     "></CENTER>\n".
       "   </TD></TR>\n".
       "</TABLE>\n".
       "</CENTER>\n";

Ted Behling, Chief Penguin Surgeon
Monarch Information Systems, Inc.
tbe...@mo...