Closed
Bug 401651
Opened 17 years ago
Closed 17 years ago
Password manager ignores password field name, so it fills in the password when it shouldn't
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 364970
People
(Reporter: dennisml, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a9pre) Gecko/2007102904 Minefield/3.0a9pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a9pre) Gecko/2007102904 Minefield/3.0a9pre
I have a page where I use the fields "cva[username]" and "cva[password]" to login a user. On the registration page I have two fields "cva[password1]" and "cva[password2]" for the user to enter his password.
The problem is that if I tell Firefox to remember the password during a login and then visit the registration page the password gets automatically filled into the field "cva[password1]". This shouldn't happen as the field has a different name than the original one used in the login box. This is a problem because on the profile edit page where this happens too I use the emptiness of both fields to detect that the user doesn't want to change his password. If the first field always gets auto-filled and the user hits submit he gets an error that the passwords don't match and he has to manually remove the auto-filled value for the submission to be successfull.
Reproducible: Always
Actual Results:
Password manager fills data into wrong fields.
Expected Results:
The password manager should not try to be "smart" and only fill in the fields that were actually used when the password was remembered.
Reporter | ||
Comment 1•17 years ago
|
||
Alternatively the password manager should fill in both/all password fields. In that case the form would work too because the password comparison would succeed and the new password would simply be set to the old one.
Version: unspecified → Trunk
Updated•17 years ago
|
Summary: Password manager too overzealous when filling in passwords → Password manager ignores password field name, so it fills in the password when it shouldn't
Comment 2•17 years ago
|
||
This is by design. While it's undesirable in your use case, it's required for other use cases... See 364970 for an example.
Workarounds:
1) Change the edit-profile page to use 3 password fields, the first being used to confirm that the person changing the password has the original password. This is good security practice -- consider a user who logs in from a public computer in the library, and forgets to log out. The nest person to sit down could steal the account by changing the password.
2) Change the edit-profile page to use 3 password fields, as above, but hide the first field (style="display: none") and ignore the value when submitted.
3) Use Javascript to clear the password fields on page load
There are other possibilities as well.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Comment 3•17 years ago
|
||
This isn't the same as bug 364970. This bug says the password is being filled in despite the field name being different.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Comment 4•17 years ago
|
||
Actually, it is. The new password manager doesn't use field names to match logins. Because of that, the problem reduces to the same issue as 364970.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•