With two saved logins for a site, the Password Manager autofills login A over login B
Categories
(Toolkit :: Password Manager: Site Compatibility, defect)
Tracking
()
People
(Reporter: max.bruderli, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Steps to reproduce:
I have two accounts on my bank's webpage. I access account A, then exit, switching to account B. Lockwise will not allow accessing account B and stubbornly opens account A again, because it "remembers" account A.
Actual results:
See above.
Expected results:
Lockwise should allow accessing multiple accounts on the same website (bank)
Updated•4 years ago
|
Updated•4 years ago
|
Comment 1•4 years ago
|
||
Thank you for taking the time to file this bug.
In order for us to identify the problem you are experiencing, we would need more information from you. Could you please provide step-by-step instructions to reproduce the issue, including the URL for the login page?
Also, can you enable Password Manager logging (by following these steps to enable logging and steps to view the logs), reproduce the issue, and attach the logs generated by the issue to this bug?
Please omit any personally identifiable information from this data prior to submitting it.
(In reply to Bianca Danforth [:bdanforth] from comment #1)
Thank you for taking the time to file this bug.
In order for us to identify the problem you are experiencing, we would need more information from you. Could you please provide step-by-step instructions to reproduce the issue, including the URL for the login page?
Also, can you enable Password Manager logging (by following these steps to enable logging and steps to view the logs), reproduce the issue, and attach the logs generated by the issue to this bug?
Please omit any personally identifiable information from this data prior to submitting it.
Bianca;
I cannot reproduce these steps without revealing personal info, since I am working with different bank/trading accounts. The steps are simple and just as I described. Apart from that I'm only moderately computer "savvy".
(1) I set up url for the bank
(2) Set up user name and site password for account A
(3) Opening account A works without a hitch
(4) Logging off account and delete Tab.
(5) Repeat steps 1 and 2 for account B
(6) Logging into this account is impossible because Lockwise will revert to opening account A
This scenario plays with every bank with which I have several accounts. Lockwise only "remembers" the first account.
Hope that helps
Max
Comment 3•4 years ago
|
||
Thank you for the additional information; I understand the concern about not wanting to share any sensitive information. Let's see if we can dig a little deeper without the URLs or the logs.
(6) Logging into this account is impossible because Lockwise will revert to opening account A
Can you tell me a little more specifically what you mean when you say "Lockwise will revert to opening account A"? Specifically, are either of the two things occurring (Y/N):
- The password (and possibly also the username) for account A is automatically filled in (the field's background color is yellow).
- The username for account A is automatically filled in, but not the password for account A (the field's background color is white).
When trying to open account B both the username AND the password are automatically replaced with those of account A. Account B will not open.
In other words: Username and password for account B are replaced with same for account A.
This happens with all my bank/trading accounts. Same url, but different usernames and passwords for accounts A and B. Any attempt to open account B, after having closed account A and deleted account A tab, will automatically revert to opening account A.
Any freestanding password manager, such as LastPass (which I am using now), or Dashlane (which I have used previously) will let you set up different accounts with the same bank url. Lockwise will let you set up different accounts as well, but will not open account B, if previously account A has been opened.
Hope this will help!
Max
Comment 5•4 years ago
|
||
Hi there; thank you for the additional information. I'm still trying to narrow down what might be happening, so I have a few more questions for you:
- After your login for account A is automatically filled in, if you clear the password field, do you see both logins suggested in the autocomplete popup (example)?
- If so, do both logins say "From this website", or does one of them, e.g. Account B, say it is from a different domain?
- When signed out of either account, if you temporarily disable the Password Manager[1], does the username field get automatically filled for Account A?
[1] How to disable the Password Manager
- Go to
about:preferences
in the URL bar. - In the Search field in the top right corner of the page, enter
passwords
. - Under the "Logins and Passwords" heading, uncheck the first checkbox: "Ask to save logins and passwords for websites".
- Refresh the page for the changes to take effect.
You can similarly re-enable the Password Manager by following the same steps above, but re-checking the checkbox in Step 3.
Bianca;
Yes, I see both logins.
Yes, both logins indicate the same website
I did uncheck
No, if I sign out, the user account does not automatically filled in.
Looks like everything is working now.. Thanks
Max
Comment 7•4 years ago
|
||
The severity field is not set for this bug.
:MattN, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Comment 8•4 years ago
•
|
||
(In reply to Max from comment #6)
Bianca;
Yes, I see both logins.
Yes, both logins indicate the same website
I did uncheck
No, if I sign out, the user account does not automatically filled in.Looks like everything is working now.. Thanks
Max
Thank you for trying out the steps above. These steps disabled the Password Manager, so I hope you will consider re-enabling it, and that we can find a solution here that enables you to continue using the Password Manager going forward.
Based on your troubleshooting answers, this leads me to believe that the saved login data for Account A and Account B may have different form action origins; the form action origin is the origin1 for where your login data is being submitted ultimately.
We can confirm this, however if you would perform the following steps:
- Visit a site where you observe this issue.
- Right click almost anywhere in the page and select "Inspect Element" to open Developer Tools.
- In the new pane that pops up, select the "Console" tab.
- Enter the following into the console, and hit "Enter" or click "Run":
new URL(window.location).origin
- Copy the value returned, with the quotes (e.g. "www.bank.com") to your clipboard.
- Open the Browser Console2. Note that this is not the same Console as in step 3. This should open in a separate window.
- Enter the following into the Browser Console, replacing "www.bank.com" with the value copied in step 5, including quotes:
(await Services.logins.searchLoginsAsync({ origin: "www.bank.com"})).forEach(login => console.log("username: ", login.username, "formActionOrigin: ", login.formActionOrigin));
- Share the output here, or if you prefer, tell us: are the outputted values for
formActionOrigin
different between the usernames for Account A and Account B? If different, do they have the same domain name (e.g. "www.bank.com" and "login.bank.com" have the same domain)?3
Bianca - First I have to reiterate that I'm not a computer wiz. However, subsequent to my last comment #6 I noticed that (a) yes, there are two logins and (b) both logins are for the same website. BUT they appeared because LastPass, my password manager, placed them there, not because of Lockwise. Hence, back to the beginning.
But it's getting worse: Apart from being unable to access two accounts on the same webpage, there are more serious problems.
Example: The URL for my Exxon account is https://citiretailservices.citibankonline.com/RSnextgen/svc/launch/index.action?siteId=PLOC_EXXONMOBIL#signon. Lockwise only allows https://citiretailservices.citibankonline.com and cuts out everything after .com, resulting in the error message "Page not found".
The URL for my AT&T account is https://www.att.com/my/#/login, and again, Lockwise only allows https://www.att.com, cutting everything after .com.
In light of this the inability to access several accounts on the same URL seems minor.
Max
Comment 10•4 years ago
|
||
Bianca - First I have to reiterate that I'm not a computer wiz. However, subsequent to my last comment #6 I noticed that (a) yes, there are two logins and (b) both logins are for the same website. BUT they appeared because LastPass, my password manager, placed them there, not because of Lockwise. Hence, back to the beginning.
Thank you for the information. Is the issue you initially reported from a third party password manager? If so, we can close this bug.
If not, without any logs or the information I requested in Comment 8, we don't have enough information to proceed, and we will close this bug.
But it's getting worse: Apart from being unable to access two accounts on the same webpage, there are more serious problems.
Example: The URL for my Exxon account is https://citiretailservices.citibankonline.com/RSnextgen/svc/launch/index.action?siteId=PLOC_EXXONMOBIL#signon. Lockwise only allows https://citiretailservices.citibankonline.com and cuts out everything after .com, resulting in the error message "Page not found".
The URL for my AT&T account is https://www.att.com/my/#/login, and again, Lockwise only allows https://www.att.com, cutting everything after .com.
If I understand correctly, you are referring to an existing bug, Bug 263387. We previously marked that as WONTFIX, but you're welcome to add your support for that issue there. It's possible we will revisit it at some point given user interest.
Reporter | ||
Comment 11•4 years ago
|
||
Bianca - No, the issue I originally reported is not from a third party password manager, but whenever I get to a sign-in name and password fields the LastPass fills those automatically.
I tried to get the log you requested, but I'm getting stuck. Not computer-savy enough. Plus, since the rest is an existing NOFIX bug I think it's a good idea to drop this exercise. I'll stick with the external password manager. Thank you
Comment 12•4 years ago
|
||
Unfortunately the logic for how the Password Manager behaves can vary based on the site, so without the URL(s) else some information gathered from the DevTools Console, it is not possible to understand what is happening with the information provided.
I appreciate that the steps to obtain additional details can be difficult; I talked about this with my team last week, and we think it could be helpful to have a short video on our Password Manager Debugging wiki page that shows users how to enable logging, access the logs and attach them to a bug. apurice: do you think QA could help us to make a video like this?
As for this bug, I am going to mark it as incomplete for now. If there is a site where you see this behavior, and you are comfortable sharing the URL (or preferably, some logs), please comment here, and we can re-open the bug.
I do think it is likely the issue you are seeing is related to login B having a different formActionOrigin
compared to login A, in which case Bug 1646610 would address it assuming they only differ by subdomain.
Updated•4 years ago
|
Comment 13•4 years ago
|
||
Thanks apurice for making a video; we just updated the Debugging wiki page to include it alongside the equivalent written instructions.
Description
•