Selecting Remember Password on a j_security_check logon Form auto sets the users username/password on other forms in an application with a similar username/password field.

RESOLVED INVALID

Status

()

Toolkit
Password Manager
RESOLVED INVALID
7 years ago
6 years ago

People

(Reporter: jason-erwin@sbcglobal.net, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(5 attachments)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0

Hi,

I'm an app developer working on a Wicket J2EE application utilizing j_security_check. I have a j_security_check Logon form with the following standard j_security_check input fields:

<input id="j_username" type="text" name="j_username" />

<input id="j_password" type="password" name="j_password" />


I have another form in the application used for adding new Users. It contains the following username/password input fields:


<input type="text" value="" name="userName"/>

<input type="password" name="passwordTableRow:password"/>


When the logged in user hits the Add User form, the fields above are pre-populated with the logged in user's username/password.

This issue doesn't occur in IE 7.





Reproducible: Always

Steps to Reproduce:
1. Create an application with a login form with the following fields:

<input id="j_username" type="text" name="j_username" />

<input id="j_password" type="password" name="j_password" />
 
2. Create another form in the same application with the following fields:

<input type="text" value="" name="userName"/>

<input type="password" name="passwordTableRow:password"/>

3. 
Actual Results:  
The second forms input fields are pre-populated with the username/password from the first form.

Expected Results:  
The username/password input fields on the second form should be empty.

Updated

7 years ago
Version: unspecified → 4.0 Branch
Can you create a simple HTML testcase and attach it to this bug?
(Reporter)

Comment 2

7 years ago
Hi,

Below is a test case:

Hit Login.html. Enter a UserName/Password. Select Remember my Password. Click Submit. Click the Add User Link. You will see the UserName from Login.html in the UserName field and the password set in the Password field.

Below are the files:

Login.html

<html>
<body>
	<form method="post" action="Main.html">
		UserName <input id="j_username" type="text" name="j_username" />
		Password <input id="j_password" type="password" name="j_password"/>
		<input type="submit" value="Login"/>
	</form>
</body>
</html>


Main.html

<html>
<body>
	<a href="AddUser.html">Add a User</a>
</body>
</html>


AddUser.html

<html>
<body>
Add a New User
	<form >
		UserName <input type="text" value="" name="userName" id="userName95"/>
		Password <input type="password"  value="" name="passwordTableRow:password"/>
		<input type="button" value="Add User"/>
	</form>
</body>
</html>
As asked in comment 1, can you please attach each of these as files to this bug? Its more helpful to have actual files to test than code in comments. Thank you.
(Reporter)

Comment 4

7 years ago
Created attachment 532488 [details]
Initial Login test case page
(Reporter)

Comment 5

7 years ago
Created attachment 532489 [details]
Main page after Login test case page
(Reporter)

Comment 6

7 years ago
Created attachment 532490 [details]
Add User test case page

Comment 7

6 years ago
This had been a relatively large problem for me.  The bug still exists in Firefox 11.  I've got a page to reset a password after a user types in a verification code.  The problem is that the password manager assumes the field before anything typed as password is the username.  So my verification code winds up getting filed in with the username, and not blank like it should be.  My "new password" field gets filled up with the old password.

This is just clearly wrong, and the password saving feature isn't being discriminating enough.  I've also created a test case that I'll attach.

Comment 8

6 years ago
Created attachment 616227 [details]
login page.

Page to use first and choose save password

Comment 9

6 years ago
Created attachment 616228 [details]
verification page.

Page that shows the username as being put in my verification code field, and password being put in my new password field.

Comment 10

6 years ago
Is there any way to get some activity from Mozilla on this bug?  Two people have posted test cases, and the bug has been around for at least a full year.  It'd be nice if it was assigned to a relevant person to at least investigate and see how feasible it is to fix.  I'd at least be nice to know someone is actually paying attention to these lists rather than it being a big black hole.
It's not a big black hole -- it's just that there is a lot of other work which takes priority over this issue and not enough developers. That said, it is not the responsibility of paid employees to fix every single bug. We are an open community encouraging volunteers to contribute fixes and patches. Firefox is what it is today because volunteers didn't wait for someone being paid by Mozilla to fix their issue.

Comment 12

6 years ago
I'm certainly willing to help, but the last time I checked out Firefox code it was quite a bear just to get to the compiling stage.  This was years ago, so perhaps things have changed.  Does Mozilla provide any guidance to developers to start fixing code?
https://developer.mozilla.org/ is the first place I would start. The second place would be to join the #developers and #firefox IRC channels irc.mozilla.org and ask for help.
(In reply to Vellmont from comment #12)
> I'm certainly willing to help, but the last time I checked out Firefox code
> it was quite a bear just to get to the compiling stage.  This was years ago,
> so perhaps things have changed.  Does Mozilla provide any guidance to
> developers to start fixing code?

Things are much better now, see https://developer.mozilla.org/en/Introduction and in particular https://developer.mozilla.org/En/Simple_build


(In reply to jason-erwin@sbcglobal.net from comment #0)

> 
> <input type="text" value="" name="userName"/>
> <input type="password" name="passwordTableRow:password"/>
> 
> 
> When the logged in user hits the Add User form, the fields above are
> pre-populated with the logged in user's username/password.

Correct. Password manager does not use the |name| attribute when filling in forms. Too many sites had different field names on different pages, which made it hard to use the password mananger. It's been that way since Firefox 3.0.


(In reply to Vellmont from comment #7)
> So my verification
> code winds up getting filed in with the username, and not blank like it
> should be.  My "new password" field gets filled up with the old password.

The solution to both of these problems is to add autocomplete="off" to the <input> or <form>. This will prevent the filling in of the "wrong" username/password, as well as saving the undesired/invalid "login" when that form is submitted.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Component: Security → Password Manager
Product: Firefox → Toolkit
QA Contact: firefox → password.manager
Resolution: --- → INVALID
Version: 4.0 Branch → unspecified
You need to log in before you can comment on or make changes to this bug.