Closed
Bug 41843
Opened 24 years ago
Closed 24 years ago
Single Signon practically unusable for website logins
Categories
(SeaMonkey :: Passwords & Permissions, defect, P3)
Tracking
(Not tracked)
VERIFIED
FIXED
M17
People
(Reporter: morse, Assigned: morse)
References
()
Details
(Whiteboard: [nsbeta2+])
Dan Veditz discovered the following problem with single singon: 1. Log onto nytimes to see a particular story 2. Have single singon save the logon 3. Exit and reenter browser 4. Return to nytimes and log on for a different story 5. Login does not get prefilled Problem is that the url contains a query string that identifies the story. Single singon used to strip off the query string before processing the url. Warren recently removed all the strip code and so the full url is being used for the match. Fix is to put back some of the strip code, at least for the query string.
Assignee | ||
Comment 1•24 years ago
|
||
This is a regression that just occured. It greatly reduces the usefuleness of the single signon feature. Nominating for nsbeta2.
Keywords: nsbeta2
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → M17
Assignee | ||
Comment 2•24 years ago
|
||
Seth, if I put back the stripping code and have it simply strip off the query string, will that break anything for mailnews?
Assignee | ||
Comment 3•24 years ago
|
||
The problem is worse than just the query string. If you go to www.vanguard.com and do a logon, the URL that gets captured is: https://majestic2.vanguard.com/PRFL/DA/0.1.InitialFrameSet/145681965508102319? In this case the numbers at the end are different each time you return to the site and so single signon will fail here. Prior to removing the stripping code, this worked because we removed the path from the url and kept just the host. Bottom line: the recent change of removing the stripping code has broken nytimes.com, vanguard.com, and probably many other sites. In other words, single signon is now unusable!
Assignee | ||
Comment 4•24 years ago
|
||
Wait, I can fix this without breaking mailnews. It's not single signon that needs to do the stripping but rather the caller (that was warren's intent). The caller in the case of website logins is unique -- happens to be in wallet.cpp at line that reads: SINGSIGN_RememberSignonData (URLName, signonData); So if I do adequate stripping there I can fix the new problem that just started occuring for website logins and not break anything that seth did for mailnews.
Assignee | ||
Comment 5•24 years ago
|
||
Updating summary line to adequately reflect the severity of this bug.
Summary: Need to reenter password for each story → Single Signon practically unusable for website logins
Comment 6•24 years ago
|
||
morse: yes, the correct fix is to change the caller.
Comment 8•24 years ago
|
||
I just talked to morse on the phone. his changes should not hork mailnews. but I'd like to follow warren's original plan, and not do any parsing in the single signon code. can you put your stripping code in one place, and just make callers (wallet.cpp and nsWalletService.cpp) call it first? that should not be hard to do.
Assignee | ||
Comment 9•24 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 10•24 years ago
|
||
works now. [need to remember to clear out any cookies from nytimes.com, as well as turn off cookies, in order to test this case.] vrfy 2000.06.14.08-m17 commercial on all/all.
Status: RESOLVED → VERIFIED
Updated•20 years ago
|
Product: Browser → Seamonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•