Closed
Bug 56375
Opened 25 years ago
Closed 25 years ago
Password appears in location bar
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Tracking
()
People
(Reporter: mike_jk, Assigned: justdave)
Details
(Whiteboard: 3.0)
When I log on to my bugzilla account, I noticed that my password appears in the
location bar.
|
||
Comment 2•25 years ago
|
||
Bugzilla uses 'get' instead of 'post' for logging in. That makes your password
be part of the url, which is why it shows up on the location bar.
We should change the login process so it uses 'post'. Note that we don't want
to change all bugzilla cgi's because we want to be able to bookmark queries.
moving to webtools/bugzilla and reassigning to tara for her input.
Assignee: endico → tara
Component: Miscellaneous → Bugzilla
Product: mozilla.org → Webtools
QA Contact: matty
Whiteboard: 2.0
|
|
||
Updated•25 years ago
|
Whiteboard: 2.0 → 3.0
|
|
Reporter | |
Comment 4•25 years ago
|
||
There should be an option in preferences that will allow it to login
using 'post' instead of 'get'. If someone wants to bookmark queries they'll
leave the option as 'get' instead of 'post'. Others may not need to bookmark
queries and they could use the other option which will hide the password.
|
||
Comment 5•25 years ago
|
||
How would it know which method to use? The post/get is where you tell it who
you are.
What it should do is always use POST, but support GET (this would cause it to
require some URL editing of your bookmark, but that's not too complicated...)
|
||
Comment 6•25 years ago
|
||
I've found this "frmget" bookmarklet useful for sites that misuse POST for
search tasks (such as everything2.com), and it should work on login forms too.
Activate the bookmarklet on a site with POST forms, and they turn into GET
forms.
javascript:frmlist = document.forms; if (! frmlist.length) alert("no forms!");
for (frmi = 0; frmi < frmlist.length; ++frmi) frmlist[frmi].method="get"; void
(0);
If lots of bugzilla users like being able to bookmark logging in (I wouldn't be
surprised -- see bug 20122), maybe there should be a checkbox that runs a
script to make the form a POST form when checked. Or maybe it should just show
the frmget bookmarklet, as a link, with a hint that it can be saved as a
bookmarklet and used on other sites with POST forms.
Either way, it would need some text to the effect of "If you trust everyone who
has access to this computer or can read your bookmarks...".
|
|
||
Comment 7•25 years ago
|
||
Jesse, I don't think that's really needed... it isn't that difficult to make the
script support both GET and POST. All you have to do is check QUERY_STRING even
if it's a POST.
|
|
||
Comment 8•25 years ago
|
||
That stuff is for letting users choose whether to use POST or GET for the login
form. The default needs to be POST for security reasons, but users suffering
from bug 20122 want to be bookmark something including their password easily.
I just thought of another way to let users bookmark their login info: include a
link on any login form, "Getting logged out often?". That would link to a page
that would let the user set up a clean bookmark that just logs in. (Under my
other proposal, if you got logged out while trying to submit a bug, you might
end up with a bookmark that submits the bug in addition to logging in.) Having
an extra page for that would also give more room to explain the possible
security problems of having a bookmark that includes your password, and would
allow important sentences to be bolded without distracting from the login form.
Or maybe bug 20122 should just be fixed :P
|
||
Comment 9•25 years ago
|
||
this is a dup of bug 15980, as noted by davidr8@home.com
*** This bug has been marked as a duplicate of 15980 ***
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
|
||
Comment 10•25 years ago
|
||
Verif.
bruce@vrieling.com & eric@vrieling.com, please transfer your votes to the other
bug.
Status: RESOLVED → VERIFIED
|
Assignee | |
Comment 11•24 years ago
|
||
moving all closed Bugzilla bugs to the new Bugzilla product.
This batch is DUPLICATE/INVALID/WORKSFORME/WONTFIX
reassigning to default owner and QA in case of the bug being reopened.
Clearing milestones, since we really shouldn't have them on these types of
resolutions. Sorry for the spam everyone...
Assignee: tara → justdave
Status: VERIFIED → NEW
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
|
||
Updated•13 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•