Last Comment Bug 223636 - automatic login for HTTP authentication
: automatic login for HTTP authentication
Status: NEW
[passwords:http-auth][parity-safari]
:
Product: Toolkit
Classification: Components
Component: Password Manager (show other bugs)
: unspecified
: All All
: P5 enhancement with 59 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Matthew N. [:MattN] (PM me if requests are blocking you)
Mentors:
: 112179 270918 317221 341105 504544 532877 (view as bug list)
Depends on: 513408 265780
Blocks: 267203
  Show dependency treegraph
 
Reported: 2003-10-25 03:09 PDT by Nitin (vfwlkr)
Modified: 2016-07-14 22:58 PDT (History)
60 users (show)
bugs: blocking‑aviary1.0-
reed: wanted1.9+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch v.1 (WIP) (14.95 KB, patch)
2009-05-29 17:45 PDT, Justin Dolske [:Dolske]
no flags Details | Diff | Splinter Review
Patch v.2 (21.21 KB, patch)
2010-06-04 13:58 PDT, Justin Dolske [:Dolske]
no flags Details | Diff | Splinter Review
Patch v.3 (20.90 KB, patch)
2010-06-04 15:08 PDT, Justin Dolske [:Dolske]
paul: feedback+
Details | Diff | Splinter Review

Description Nitin (vfwlkr) 2003-10-25 03:09:07 PDT
This is same as Bug 117592
That bug is for the password manager component in seamonkey, this one is to
request the same feature for firebird's password manager. I was asked to file a
seperate bug for firebird.
http://forums.mozillazine.org/viewtopic.php?t=29189&start=29

From orig. bug:
For pages where authentication is done via the "old school", pop up a dialog
method, rather than with forms and cookies, there should be an option to
automatically log in if the name/password pair is stored with the password
manager.

A checkbox "do not ask me again" should be added below the current "save this
password" checkbox. If both are checked, silently login in the future.

screenshot:
http://bugzilla.mozilla.org/attachment.cgi?id=132646&action=view
Comment 1 Nitin (vfwlkr) 2004-01-11 02:07:12 PST
Setting Hardware/OS to All/All.
Comment 2 Nitin (vfwlkr) 2004-01-27 07:45:23 PST
Adding keyword 'conversion'
http://forums.mozillazine.org/viewtopic.php?p=347089#347089

Most of my coworkers face the same problem.
Comment 3 alanjstr 2004-02-09 11:30:14 PST
This will need the ability to "uncheck" the box in some way other than removing
it from the password manager completely.
Comment 4 Kelvin Wood 2004-02-20 12:46:41 PST
Maybe we could add an icon to the statusbar indicating that the browser is
currently sending authentication information. The user could also use this to
switch login information, or to effectively "logout".

It would be nice if this bug was expanded to include NTLM authentication as well.
Comment 5 Nitin (vfwlkr) 2004-02-20 21:56:51 PST
Would it be possible to add a hidden pref accessible via about:config in the
core, and leave any UI change (checkbox, status bar) for extensions?
Comment 6 Ben Goodger (use ben at mozilla dot org for email) 2004-05-04 14:21:32 PDT
+ing to get on bryner's radar, I'll let him decide if he wants to fix this. 
Comment 7 Jesse Ruderman 2004-06-29 13:35:02 PDT
See also bug 231529, "Optionally enable unprompted NTLM authentication".
Comment 8 Jesse Ruderman 2004-06-29 13:35:23 PDT
*** Bug 249112 has been marked as a duplicate of this bug. ***
Comment 9 Nitin (vfwlkr) 2004-08-26 14:24:01 PDT
With the fix for bug 231529, IE-parity has been attained. I guess this bug can
still be left open as an RFE.. but the integrated windows auth. problem that
caused this bug report has been solved. Removing conversion keyword.

Comment 10 Jesse Ruderman 2004-11-19 22:00:33 PST
*** Bug 270918 has been marked as a duplicate of this bug. ***
Comment 11 Nitin (vfwlkr) 2005-10-21 10:10:06 PDT
resummarising
Comment 12 Jo Hermans 2006-06-11 01:41:25 PDT
*** Bug 341105 has been marked as a duplicate of this bug. ***
Comment 13 Jesse Ruderman 2006-07-08 02:40:50 PDT
Ironic that because Safari has this feature and Firefox doesn't, I often end up using Safari to access Mozilla Corp's internal wiki ;)
Comment 14 info 2006-11-16 09:22:47 PST
anyone it is working on it? i need this feature, any workaround to make this automatic anyway? Thanks.
Comment 15 Tuukka Tolvanen (sp3000) 2007-02-04 08:07:24 PST
*** Bug 317221 has been marked as a duplicate of this bug. ***
Comment 16 Martin F. 2007-04-17 10:21:50 PDT
(In reply to comment #3)
> This will need the ability to "uncheck" the box in some way other than removing
> it from the password manager completely.

I suggest using URLs like http://user1@example.org, then "unchecking" would be easy. Unfortunately Firefox (2.0.0.3, haven’t tried a nightly build) doesn’t use the stored password with URLs like this. Also, the user is prompted if he really wants to login as user1 (bug 377786).
Comment 17 Jesse Ruderman 2007-06-04 02:40:33 PDT
Apparently there's an extension that does this:

http://www.efinke.com/addons/autoauth/
Comment 18 Justin Dolske [:Dolske] 2009-02-16 13:58:04 PST
*** Bug 112179 has been marked as a duplicate of this bug. ***
Comment 19 Justin Dolske [:Dolske] 2009-02-16 14:11:53 PST
Updating summary. One special case of this is for proxy authentication. We might want to consider having HTTP authentication default to always-prompt, but proxy-auth default to auto-login... My rough reasoning is that prompting for HTTP auth might be wanted as a safety-check step (eg, against CSRF), whereas for most people prompting for proxy auth is just an annoyance.
Comment 20 Jesse Ruderman 2009-02-16 14:13:23 PST
That's a pretty weak CSRF defense.  We shouldn't keep the prompt if it's just for CSRF defense.
Comment 21 Justin Dolske [:Dolske] 2009-02-16 14:18:59 PST
We could probably do something with making HTTP auth automatic when it's the same-origin as the page, but still prompt otherwise. Not sure what the full UI should be, just noting that we could be more liberal with proxy auth than HTTP auth. Like I said, "rough reasoning." :)
Comment 22 Ted Mielczarek [:ted.mielczarek] 2009-02-17 10:35:41 PST
FWIW, I voted for this bug because I want unprompted HTTP auth. I frequently have a page in my session store that I have the password saved for, and I'd like the login manager to just submit it for me without a dialog.
Comment 23 Justin Dolske [:Dolske] 2009-05-29 17:45:22 PDT
Created attachment 380553 [details] [diff] [review]
Patch v.1 (WIP)

This patch implements backend support for having logins automatically submit in HTTP auth, and makes promptAuth() skip the prompt when it's filled with an autologin login.

Three main areas of work before this can land:

* Want doorhanger UI so that it's easy to turn off automatic login
* Need to figure out UI for enabling automatic login
* Need to implement a way to suppress automatic login when we try but it fails (eg, if you password expired).

It would also be nice to figure out if/how automatic form logins should work. That's for a separate bug, but would be good to make sure we don't have to change the DB schema in a complicated way.
Comment 24 Matthew N. [:MattN] (PM me if requests are blocking you) 2009-07-17 00:32:04 PDT
*** Bug 504544 has been marked as a duplicate of this bug. ***
Comment 25 Justin Dolske [:Dolske] 2009-10-09 13:54:05 PDT
*** Bug 521467 has been marked as a duplicate of this bug. ***
Comment 26 Ben Bucksch (:BenB) 2009-10-09 14:31:48 PDT
Bug 521467 has an alternative fix.
Comment 27 Ben Bucksch (:BenB) 2009-10-09 14:33:53 PDT
> * Need to implement a way to suppress automatic login when we
> try but it fails (eg, if you password expired).

My patch has that.
Comment 28 Tim (fmdeveloper) 2009-12-09 23:20:02 PST
*** Bug 532877 has been marked as a duplicate of this bug. ***
Comment 29 RNicoletto 2010-04-09 03:23:57 PDT
Is this bug related to the just-fixed-on-trunk bug 521467?
Comment 30 Ben Bucksch (:BenB) 2010-04-09 03:49:11 PDT
Yes. That bug allows to automatically log in to your *proxy* without prompt. It does not cover HTTP web servers (which have very different security and privacy characteristics.

The code there helps with the network code to notify us about login failures, which dolske referred to in comment 23 as:
> * Need to implement a way to suppress automatic login when we try but it
> fails (eg, if you password expired).
It does not help with the rest of the code needed here.
Comment 31 aevinodkumaar@gmail.com 2010-05-31 08:59:19 PDT
Hi, 

Is there a patch for this that I can try in my Firefox installation?

Thanks and Regards,
Vinod.
Comment 32 Justin Dolske [:Dolske] 2010-06-04 13:58:28 PDT
Created attachment 449338 [details] [diff] [review]
Patch v.2

Updated patch.

Hitting some odd breakage, though, in that I keep getting |undefined| for .autoLogin. Eg, with the logging in this patch I get:

...
PwMgr mozStorage: _findLogins: returning 1 logins
PwMgr mozStorage: ZZZ logins[0].autoLogin is: true
Pwmgr Prompter: found 1 matching logins.
Pwmgr Prompter: ZZZ selectedLogin.autoLogin is: undefined

Not sure what's going wrong. :-/
Comment 33 Justin Dolske [:Dolske] 2010-06-04 15:08:36 PDT
Created attachment 449359 [details] [diff] [review]
Patch v.3

Grr. Was missing a QI. Problem fixed.

I think this is mostly done, just a few things to check and write tests. Also considering only having autoauth working for top level documents, so that embedded images/iframes would not log in automatically (perhaps only when when eTLD+1s differ?)
Comment 34 Paul O'Shannessy [:zpao] (not reading much bugmail, email directly) 2010-06-08 14:32:34 PDT
Comment on attachment 449359 [details] [diff] [review]
Patch v.3

>+    _dbMigrateToVersion5 : function () {
>+        // Add the new column only if needed.
>+        if (!this._dbColumnExists("autoLogin")) {
>+            // XXX integer seems simplest here (0=false, 1=true), but maybe this
>+            //     should be text. eg "yes/no/never" or for storing URLs for form
>+            //     logins (ie, only autosubmit on certain URLs)?
>+            this._dbConnection.executeSimpleSQL(
>+                "ALTER TABLE moz_logins ADD COLUMN autoLogin INTEGER");
>+        }

I had a similar question - we could use "boolean" types instead of 0/1. I think internally it's the same to sqlite. But if we do go for a 3-state flag, then we probably shouldn't do text. Keep them as ints and define some constants. Not sure how I feel about storing urls...
Comment 35 Vova Olar 2012-03-11 09:43:52 PDT
Any news here?
Comment 36 Ben Bucksch (:BenB) 2012-03-11 18:12:38 PDT
FWIW, automatic HTTP proxy auth is implemented as part of Bug 521467. You just need to set pref "signon.autologin.proxy" = true (Boolean). Bug 646452 is about making it work by default.
Comment 37 Justin Dolske [:Dolske] 2012-04-20 22:18:29 PDT
(clearing assignment of bugs I'm no long planning to work on)
Comment 38 Manish Goregaokar [:manishearth] 2013-08-28 23:38:14 PDT
I think that we can use the fix from Bug 521467 here. That fix gave us the convenient signon.autologin.proxy pref, so it should be pretty easy to add an autologin checkbox to the proxy dialog.

I'll try this out later.

Note You need to log in before you can comment on or make changes to this bug.