Closed Bug 1217421 Opened 9 years ago Closed 8 years ago

Password autocomplete breaks user administration in web tools (Bugzilla, FusionDirectory, others)

Categories

(Toolkit :: Password Manager: Site Compatibility, defect)

38 Branch
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 1119063

People

(Reporter: michael.j.tosh, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150916094008

Steps to reproduce:

1) Become an administrator of a Bugzilla installation (or any type of web-front end that has user accounts, like phpBB, etc etc)
2) Save your own password via the login form prompt
  -) My login form fields are "Bugzilla_username" and "Bugzilla_password".
3) Use a password manager in Firefox, and confirm that the saved password is specifically tied to those field names.
4) Go to the User Administration page for another user, which includes the following fields: "login", "name", and "password".


Actual results:

My saved login credentials are autocompleted into the other users' fields if they don't have a "Real Name" set.

If I don't notice, and make another change to the user's account, their password will be set to match mine, their name will be set to my login name, and they will be unable to log in.  Even if I clear those fields out before submission, they are prefilled on the page after a submit, so it is unclear if I actually cleared them out or not without inspecting the HTML content.


Expected results:

The password field called "password" should not have been prefilled with credentials specifically tied to fields called "Bugzilla_password".
Did that behavior change after a Firefox upgrade? If yes, what was the previous version installed?
Component: Untriaged → Password Manager
Flags: needinfo?(michael.j.tosh)
Product: Firefox → Toolkit
(In reply to Sebastian H. [:aryx][:archaeopteryx] from comment #1)
> Did that behavior change after a Firefox upgrade? If yes, what was the
> previous version installed?

I'm not exactly sure when this problem started occurring, my FF is installed via an ESR channel though the corporation's IT department.
Flags: needinfo?(michael.j.tosh)
Please mark as resolved and duplicate with bug mentioned in triage. Thanks.
Flags: needinfo?(MattN+bmo)
Component: Password Manager → Password Manager: Site Compatibility
Hello,

I’m not sure what the last comment means and if this bug is considered resolved or not, but I got the same problem with FusionDirectory, users are complaining because Firefox fills the password field of the account edition page with the password saved for login form, which causes problems.
The password field in this page already has autocomplete="off" but firefox still fills it.
It’s not the same URL nor the same form name/id or field name/id as the login form the password was saved for so I don’t get why Firefox is editing this field value.

Our next version will probably use a plain text field for password edition to avoid this bug, it’s a bit sad to have to do this :-/

(You can try it on demo.fusiondirectory.org , on this version the form name is the same one but changing this do not solve the problem. You can see autocomplete is off on the password field of the login page and the name/id of the fields are not the same ones. It’s not even the same URL as login is on index.php while profile edition is on main.php)
Severity: normal → major
Summary: Password autocomplete breaks user administration in standalone Bugzilla → Password autocomplete breaks user administration in web tools (Bugzilla, FusionDirectory, others)
Sites that have user administration forms that are used for entering new passwords should use autocomplete="new-password" as the sign to browsers to not autofill an existing password. Firefox will implement support for that attribute value in bug 1119063.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(MattN+bmo)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.