Closed Bug 401651 Opened 17 years ago Closed 17 years ago

Password manager ignores password field name, so it fills in the password when it shouldn't

Categories

(Toolkit :: Password Manager, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 364970

People

(Reporter: dennisml, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a9pre) Gecko/2007102904 Minefield/3.0a9pre Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a9pre) Gecko/2007102904 Minefield/3.0a9pre I have a page where I use the fields "cva[username]" and "cva[password]" to login a user. On the registration page I have two fields "cva[password1]" and "cva[password2]" for the user to enter his password. The problem is that if I tell Firefox to remember the password during a login and then visit the registration page the password gets automatically filled into the field "cva[password1]". This shouldn't happen as the field has a different name than the original one used in the login box. This is a problem because on the profile edit page where this happens too I use the emptiness of both fields to detect that the user doesn't want to change his password. If the first field always gets auto-filled and the user hits submit he gets an error that the passwords don't match and he has to manually remove the auto-filled value for the submission to be successfull. Reproducible: Always Actual Results: Password manager fills data into wrong fields. Expected Results: The password manager should not try to be "smart" and only fill in the fields that were actually used when the password was remembered.
Alternatively the password manager should fill in both/all password fields. In that case the form would work too because the password comparison would succeed and the new password would simply be set to the old one.
Version: unspecified → Trunk
Summary: Password manager too overzealous when filling in passwords → Password manager ignores password field name, so it fills in the password when it shouldn't
This is by design. While it's undesirable in your use case, it's required for other use cases... See 364970 for an example. Workarounds: 1) Change the edit-profile page to use 3 password fields, the first being used to confirm that the person changing the password has the original password. This is good security practice -- consider a user who logs in from a public computer in the library, and forgets to log out. The nest person to sit down could steal the account by changing the password. 2) Change the edit-profile page to use 3 password fields, as above, but hide the first field (style="display: none") and ignore the value when submitted. 3) Use Javascript to clear the password fields on page load There are other possibilities as well.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
This isn't the same as bug 364970. This bug says the password is being filled in despite the field name being different.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Actually, it is. The new password manager doesn't use field names to match logins. Because of that, the problem reduces to the same issue as 364970.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.