automatic login for HTTP authentication

NEW
Unassigned

Status

()

Toolkit
Password Manager
P5
enhancement
14 years ago
10 months ago

People

(Reporter: Nitin (vfwlkr), Unassigned)

Tracking

(Depends on: 1 bug, Blocks: 1 bug)

unspecified
Points:
---
Dependency tree / graph
Bug Flags:
blocking-aviary1.0 -
wanted1.9 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [passwords:http-auth][parity-safari])

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

14 years ago
This is same as Bug 117592
That bug is for the password manager component in seamonkey, this one is to
request the same feature for firebird's password manager. I was asked to file a
seperate bug for firebird.
http://forums.mozillazine.org/viewtopic.php?t=29189&start=29

From orig. bug:
For pages where authentication is done via the "old school", pop up a dialog
method, rather than with forms and cookies, there should be an option to
automatically log in if the name/password pair is stored with the password
manager.

A checkbox "do not ask me again" should be added below the current "save this
password" checkbox. If both are checked, silently login in the future.

screenshot:
http://bugzilla.mozilla.org/attachment.cgi?id=132646&action=view
(Reporter)

Comment 1

14 years ago
Setting Hardware/OS to All/All.
OS: Windows XP → All
Hardware: PC → All
(Reporter)

Comment 2

13 years ago
Adding keyword 'conversion'
http://forums.mozillazine.org/viewtopic.php?p=347089#347089

Most of my coworkers face the same problem.
Keywords: conversion

Updated

13 years ago
Summary: [RFE] Automatically log into sites for which the name/password is stored (HTTP Basic Auth) → [RFE] Automatically log into sites for which the name/password is stored (HTTP Basi+c Auth)

Updated

13 years ago
Summary: [RFE] Automatically log into sites for which the name/password is stored (HTTP Basi+c Auth) → [RFE] Automatically log into sites for which the name/password is stored (HTTP Basic Auth)

Comment 3

13 years ago
This will need the ability to "uncheck" the box in some way other than removing
it from the password manager completely.

Comment 4

13 years ago
Maybe we could add an icon to the statusbar indicating that the browser is
currently sending authentication information. The user could also use this to
switch login information, or to effectively "logout".

It would be nice if this bug was expanded to include NTLM authentication as well.
(Reporter)

Comment 5

13 years ago
Would it be possible to add a hidden pref accessible via about:config in the
core, and leave any UI change (checkbox, status bar) for extensions?

Updated

13 years ago
Flags: blocking1.0?
+ing to get on bryner's radar, I'll let him decide if he wants to fix this. 
Flags: blocking1.0? → blocking1.0+
Flags: blocking1.0+ → blocking1.0-
Priority: -- → P4

Comment 7

13 years ago
See also bug 231529, "Optionally enable unprompted NTLM authentication".

Comment 8

13 years ago
*** Bug 249112 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 9

13 years ago
With the fix for bug 231529, IE-parity has been attained. I guess this bug can
still be left open as an RFE.. but the integrated windows auth. problem that
caused this bug report has been solved. Removing conversion keyword.

Keywords: conversion

Comment 10

13 years ago
*** Bug 270918 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 11

12 years ago
resummarising
Summary: [RFE] Automatically log into sites for which the name/password is stored (HTTP Basic Auth) → [RFE] optionally enable unprompted http basic authentication (automatically log in when username/password is stored)
Assignee: bryner → nobody
Priority: P4 → --
QA Contact: davidpjames → password.manager
Summary: [RFE] optionally enable unprompted http basic authentication (automatically log in when username/password is stored) → optionally enable unprompted http basic authentication (automatically log in when username/password is stored)

Updated

11 years ago
Depends on: 265780
Whiteboard: [p-safari]

Comment 12

11 years ago
*** Bug 341105 has been marked as a duplicate of this bug. ***

Comment 13

11 years ago
Ironic that because Safari has this feature and Firefox doesn't, I often end up using Safari to access Mozilla Corp's internal wiki ;)

Updated

11 years ago
Flags: blocking1.9?
Flags: blocking1.9? → blocking1.9-
Whiteboard: [p-safari] → [wanted-1.9] [p-safari]

Comment 14

11 years ago
anyone it is working on it? i need this feature, any workaround to make this automatic anyway? Thanks.
Duplicate of this bug: 317221

Comment 16

10 years ago
(In reply to comment #3)
> This will need the ability to "uncheck" the box in some way other than removing
> it from the password manager completely.

I suggest using URLs like http://user1@example.org, then "unchecking" would be easy. Unfortunately Firefox (2.0.0.3, haven’t tried a nightly build) doesn’t use the stored password with URLs like this. Also, the user is prompted if he really wants to login as user1 (bug 377786).

Comment 17

10 years ago
Apparently there's an extension that does this:

http://www.efinke.com/addons/autoauth/

Updated

10 years ago
Assignee: nobody → dolske
Target Milestone: --- → Firefox 3
Assignee: dolske → nobody
Flags: wanted-firefox3+
Whiteboard: [wanted-1.9] [p-safari] → [p-safari]

Updated

9 years ago
Blocks: 267203
(Assignee)

Updated

9 years ago
Product: Firefox → Toolkit
Target Milestone: mozilla1.9 → mozilla2.0
Duplicate of this bug: 112179
Updating summary. One special case of this is for proxy authentication. We might want to consider having HTTP authentication default to always-prompt, but proxy-auth default to auto-login... My rough reasoning is that prompting for HTTP auth might be wanted as a safety-check step (eg, against CSRF), whereas for most people prompting for proxy auth is just an annoyance.
Summary: optionally enable unprompted http basic authentication (automatically log in when username/password is stored) → automatic login for HTTP/proxy authentication

Comment 20

8 years ago
That's a pretty weak CSRF defense.  We shouldn't keep the prompt if it's just for CSRF defense.
We could probably do something with making HTTP auth automatic when it's the same-origin as the page, but still prompt otherwise. Not sure what the full UI should be, just noting that we could be more liberal with proxy auth than HTTP auth. Like I said, "rough reasoning." :)
FWIW, I voted for this bug because I want unprompted HTTP auth. I frequently have a page in my session store that I have the password saved for, and I'd like the login manager to just submit it for me without a dialog.
Assignee: nobody → dolske
Target Milestone: mozilla2.0 → mozilla1.9.2
Created attachment 380553 [details] [diff] [review]
Patch v.1 (WIP)

This patch implements backend support for having logins automatically submit in HTTP auth, and makes promptAuth() skip the prompt when it's filled with an autologin login.

Three main areas of work before this can land:

* Want doorhanger UI so that it's easy to turn off automatic login
* Need to figure out UI for enabling automatic login
* Need to implement a way to suppress automatic login when we try but it fails (eg, if you password expired).

It would also be nice to figure out if/how automatic form logins should work. That's for a separate bug, but would be good to make sure we don't have to change the DB schema in a complicated way.
Duplicate of this bug: 504544
Depends on: 513408
Duplicate of this bug: 521467

Comment 26

8 years ago
Bug 521467 has an alternative fix.

Comment 27

8 years ago
> * Need to implement a way to suppress automatic login when we
> try but it fails (eg, if you password expired).

My patch has that.

Updated

8 years ago
Duplicate of this bug: 532877

Comment 29

7 years ago
Is this bug related to the just-fixed-on-trunk bug 521467?

Comment 30

7 years ago
Yes. That bug allows to automatically log in to your *proxy* without prompt. It does not cover HTTP web servers (which have very different security and privacy characteristics.

The code there helps with the network code to notify us about login failures, which dolske referred to in comment 23 as:
> * Need to implement a way to suppress automatic login when we try but it
> fails (eg, if you password expired).
It does not help with the rest of the code needed here.
Hi, 

Is there a patch for this that I can try in my Firefox installation?

Thanks and Regards,
Vinod.
Created attachment 449338 [details] [diff] [review]
Patch v.2

Updated patch.

Hitting some odd breakage, though, in that I keep getting |undefined| for .autoLogin. Eg, with the logging in this patch I get:

...
PwMgr mozStorage: _findLogins: returning 1 logins
PwMgr mozStorage: ZZZ logins[0].autoLogin is: true
Pwmgr Prompter: found 1 matching logins.
Pwmgr Prompter: ZZZ selectedLogin.autoLogin is: undefined

Not sure what's going wrong. :-/
Attachment #380553 - Attachment is obsolete: true
Created attachment 449359 [details] [diff] [review]
Patch v.3

Grr. Was missing a QI. Problem fixed.

I think this is mostly done, just a few things to check and write tests. Also considering only having autoauth working for top level documents, so that embedded images/iframes would not log in automatically (perhaps only when when eTLD+1s differ?)
Attachment #449338 - Attachment is obsolete: true
Attachment #449359 - Flags: feedback?(paul)
Comment on attachment 449359 [details] [diff] [review]
Patch v.3

>+    _dbMigrateToVersion5 : function () {
>+        // Add the new column only if needed.
>+        if (!this._dbColumnExists("autoLogin")) {
>+            // XXX integer seems simplest here (0=false, 1=true), but maybe this
>+            //     should be text. eg "yes/no/never" or for storing URLs for form
>+            //     logins (ie, only autosubmit on certain URLs)?
>+            this._dbConnection.executeSimpleSQL(
>+                "ALTER TABLE moz_logins ADD COLUMN autoLogin INTEGER");
>+        }

I had a similar question - we could use "boolean" types instead of 0/1. I think internally it's the same to sqlite. But if we do go for a 3-state flag, then we probably shouldn't do text. Keep them as ints and define some constants. Not sure how I feel about storing urls...
Attachment #449359 - Flags: feedback?(paul) → feedback+

Updated

6 years ago
Flags: wanted-fennec1.0?

Updated

6 years ago
Flags: wanted-fennec1.0?

Comment 35

5 years ago
Any news here?

Comment 36

5 years ago
FWIW, automatic HTTP proxy auth is implemented as part of Bug 521467. You just need to set pref "signon.autologin.proxy" = true (Boolean). Bug 646452 is about making it work by default.
Summary: automatic login for HTTP/proxy authentication → automatic login for HTTP authentication
(clearing assignment of bugs I'm no long planning to work on)
Assignee: dolske → nobody
I think that we can use the fix from Bug 521467 here. That fix gave us the convenient signon.autologin.proxy pref, so it should be pretty easy to add an autologin checkbox to the proxy dialog.

I'll try this out later.
Whiteboard: [p-safari] → [passwords:http-auth][parity-safari]
Target Milestone: mozilla1.9.2 → ---
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.