Open Bug 551948 Opened 14 years ago Updated 2 years ago

"Select which login to update:" UI appears when doing a password change with multiple diff. saved logins and no editable username field

Categories

(Toolkit :: Password Manager, defect, P3)

Product:
Toolkit
Component:
Password Manager
Type:
defect

Tracking

()

People

(Reporter: rabashani, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [passwords:heuristics])

Attachments

(1 file)

Testcase
532 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

actually all I did is trying to create change password form, which has:
1) current password 
2) new password

the problem is that when posting this, the password manager - popup asks which user's password we would like to change.

so: 
 we gave him the user name (=email) in a hidden textbox.
 this will prevent the popup to raise.

but it is a bad design.

I would prefer doing this using a hidden field - this is not working!



Reproducible: Always

Steps to Reproduce:
1. have a web site with users and passwords
2. create 3 users in your site, 
    2 of them have the save password allowed for your site.
3. change password page - create a form with hidden field, current password, new password
4. enter with the 3rd user (the one that didn't allow saving his password) and try to change his password.
5. now the password manager will ask for the user who change his password, although the tool should understand it because of the hidden field with the email.
Actual Results:  
password manager - popup raised

Expected Results:  
change the password without user intervention
please provide either a testcase as attachment or a link to a public site as an example to your report to make your issue understandable.
Component: Security → General
Keywords: testcase-wanted
QA Contact: firefox → general
If the password manager has multiple logins stored for a site, when it sees a form with only password fields it doesn't know which username the form is for. Most people never see this (because they only have 1 account on a site).

Your fix (hidden username field) is exactly what I'd recommend.

I suppose it's possible that we could be smarter about using the login which has a password matching the value being changed, although that's not always reliable.
Component: General → Password Manager
Product: Firefox → Toolkit
QA Contact: general → password.manager
@Xtc4uall - right now I don't have a public site, will be up later on this year, but I wrote the case exactly.

@justin - I suggest to replace the hidden text box with hidden field this is the bug. I would like the programmers to have the option to add a hidden field with the username\email.
I agree that matching the value is not good enough and error prune.
(In reply to shani from comment #3)
> @justin - I suggest to replace the hidden text box with hidden field this is
> the bug. I would like the programmers to have the option to add a hidden
> field with the username\email.

The reason the hidden input doesn't work is because we don't allow hidden inputs to be usernames [1]. a readonly or disabled username input should work along with the display:none trick. After bug 1119067, the standard way of doing this would be <input type=hidden value=someusername autocomplete=username />.

Without using @autocomplete, we could also search <input type=hidden /> and see if any have a value that matches a username we know about.

[1] https://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/LoginManagerContent.jsm?rev=12a7e4dd8949#346
Blocks: 1119514
Status: UNCONFIRMED → NEW
Depends on: 1119067
Ever confirmed: true
Keywords: testcase-wanted
OS: Windows 7 → All
Hardware: x86 → All
Summary: remember password tool - do not recognize the user in change password forms → No offer to update a password when there are multiple saved logins
Attached file Testcase 

    
  

        Attachment #8546945 -
        Attachment mime type: text/plain → text/html

    
  
See Also:  → 733217
Priority: -- → P1

    
    

    
      
  

    
  
Whiteboard: UI-improvement

    
  
Whiteboard: UI-improvement → [passwords:heuristics]

    
  
Priority: P1 → P2

    
    

    
  
Re-summarizing since the old one kept confusing me.


Since our doorhanger is editable now it seems like taking the password value into account (comparing the saved login password to the old password in the form) would be a fine improvement. If we guess wrong then the user can change the username in the update doorhanger and we will appropriately update that login instead (not saving a new one).


We can still show the chooser UI if there are multiple existing passwords with the same value for the site.


Summary: No offer to update a password when there are multiple saved logins → "Select which login to update:" UI appears when doing a password change with multiple diff. saved logins and no editable username field
Severity: normal → S3
Priority: P2 → P3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: