Login improvements

[genix]

Just found that login delay a bit annoying... so here is a bit optimized script which puts delay only in case of invalid login
Also fixed ie6 js errors for some pages

[ispyisail]

Thanks

[mix]

Weird question, but does ssh login do something similar with a delay? I notice a 5 second delay between when I try to initiate a ssh connection with putty on my computer and when I first see a login prompt. I swear this didn't use to exist in the 1.3 series, and I know for sure dd-wrt is much quicker. Heck, making a ssh connection to external servers is much much quicker. Anyone know what's up? (Don't bother telling me to reinstall the firmware either, this has gone on with all 1.4 versions).

[genix]

Don't know about ssh but I found some other issues: there is not possible to logout with ie6 - looks like paths starting with /./ confuses its redirection or so.
Another small issue: you can't properly load saved page from local disk because styles/scripts have absolute paths starting with '/', IMO it shouldn't be hardcoded because you can always specify that in settings. Suggested fixes included in patch

[Eric]

Thanks for your patches, I've applied some of them.

I applied the IE compatibility fixes, and eliminated /./ from the links generated by gargoyle_header_footer, but did not apply the fast login patch or the relative paths in links.

Allowing fast login when the password is correct defeats the purpose of the delay. If there is a delay when the password is wrong, but none if it is right, the mere presence of a delay is an indication that the password was wrong... and an attacker can note the absence of an answer and try the next password on the list as soon as the time it takes exceeds that for a correct login. Requiring a delay in both cases means an attacker can't know whether a password was correct until after the delay has expired.

Also the links should be absolute. Right now all the pages are in the same directory, but if I ever add one that is not in the same directory, in a subdirectory, using an absolute path relative to the http root will be necessary.

[genix]

Ok, agree with fast login.

Also the links should be absolute. Right now all the pages are in the same directory, but if I ever add one that is not in the same directory, in a subdirectory, using an absolute path relative to the http root will be necessary.

If I'm correct - there is theme_root and js_root configuration variables which can hold / i.e. can specify absolute paths when its needed - or I'm wrong?

[Eric]

You are correct. I just updated the code to detect dynamically whether those variables start with a forward slash ("/") character, and to generate the links accordingly.