Single Signon practically unusable for website logins

VERIFIED FIXED in M17

Status

SeaMonkey
Passwords & Permissions
P3
normal
VERIFIED FIXED
18 years ago
13 years ago

People

(Reporter: Stephen P. Morse, Assigned: Stephen P. Morse)

Tracking

Trunk
x86
Windows NT

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [nsbeta2+], URL)

(Assignee)

Description

18 years ago
Dan Veditz discovered the following problem with single singon:

1. Log onto nytimes to see a particular story
2. Have single singon save the logon
3. Exit and reenter browser
4. Return to nytimes and log on for a different story
5. Login does not get prefilled

Problem is that the url contains a query string that identifies the story.  
Single singon used to strip off the query string before processing the url.  
Warren recently removed all the strip code and so the full url is being used for 
the match.  Fix is to put back some of the strip code, at least for the query 
string.
(Assignee)

Comment 1

18 years ago
This is a regression that just occured.  It greatly reduces the 
usefuleness of the single signon feature. 

Nominating for nsbeta2.
Keywords: nsbeta2
(Assignee)

Updated

18 years ago
Status: NEW → ASSIGNED
Target Milestone: --- → M17
(Assignee)

Comment 2

18 years ago
Seth, if I put back the stripping code and have it simply strip off the query 
string, will that break anything for mailnews?
(Assignee)

Comment 3

18 years ago
The problem is worse than just the query string.  If you go to www.vanguard.com 
and do a logon, the URL that gets captured is:

https://majestic2.vanguard.com/PRFL/DA/0.1.InitialFrameSet/145681965508102319?

In this case the numbers at the end are different each time you return to the 
site and so single signon will fail here.  Prior to removing the stripping code, 
this worked because we removed the path from the url and kept just the host.

Bottom line: the recent change of removing the stripping code has broken 
nytimes.com, vanguard.com, and probably many other sites.  In other words, 
single signon is now unusable!
(Assignee)

Comment 4

18 years ago
Wait, I can fix this without breaking mailnews.  It's not single signon that 
needs to do the stripping but rather the caller (that was warren's intent).  The 
caller in the case of website logins is unique -- happens to be in wallet.cpp at 
line that reads:

   SINGSIGN_RememberSignonData (URLName, signonData);

So if I do adequate stripping there I can fix the new problem that just started 
occuring for website logins and not break anything that seth did for mailnews.
(Assignee)

Comment 5

18 years ago
Updating summary line to adequately reflect the severity of this bug.
Summary: Need to reenter password for each story → Single Signon practically unusable for website logins
morse:  yes, the correct fix is to change the caller.

Comment 7

18 years ago
Putting on [nsbeta2+] radar for beta2 fix. 
Whiteboard: [nsbeta2+]
I just talked to morse on the phone. 

his changes should not hork mailnews.

but I'd like to follow warren's original plan, and not do any parsing in the
single signon code.

can you put your stripping code in one place, and just make callers (wallet.cpp
and nsWalletService.cpp) call it first?

that should not be hard to do.
(Assignee)

Comment 9

18 years ago
Fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED
works now. [need to remember to clear out any cookies from nytimes.com, as well
as turn off cookies, in order to test this case.] vrfy 2000.06.14.08-m17
commercial on all/all.
Status: RESOLVED → VERIFIED
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.