I have created a chrome extension for generating passwords and outputting the phonetic version as well.
Basicly the extension creates the password and displays it in one DIV and the phonetic version in another, so if password was 'ac3', password DIV would show 'ac3' and phonetic DIV would show 'Alpha, Charley, Three'.
The problem is that as soon as I click outside the extension popup it disappears and I loose the current password.
My first attempt to sort this was to use chrome.storage.local.set after creating the password and then re-populating the password DIV via chrome.storage.local.get when you click on the extension again, this works great, but the data is available from any tab within the browser (even separate windows).
I understand that storing the password in any way is insecure, but wanted to find a way to limit the data stored to the current tab rather than globally.
I haven't found a way to keep the extension popup displayed to allow a user to copy/paste both DIVs.
Anyone got any pointers?
Also anyone able to point me in the direction of wiping the local storage value after a set amount of time? Just to make things slightly more secure.
This extension is used mainly for admin work, where you need to create a new password for a user, copy/paste it into a portal and then SMS/Email the password to the end user.
Data stored in chrome.storage is only available to your own extension, so it's not any less secure than any other way of storing it.
Just store it via chrome.storage.local.set() and then delete it a few minutes later, if unused. You'll have to set a deletion mechanism in background.js via chrome.runtime.sendMessage or chrome.alarms
I had also tried sessionStorage in the popup, but sadly it's lost as soon as the popup is closed. Same goes for history.replaceState.
Related
I am building an extension which every time the browser opens asks user for a strong password. Its purpose is that it uses that password to derive and generate strong passwords for new websites upon registration and it tries to regenerate same passwords next time a user visits an already visited website.
I am using below method to store user's masterpassword(used for password generation) which is sensitive information:
window.sessionStorage.setItem(varName)
And I use below method to get it whenever it is needed.
sessionStorage.getItem(varName)
My problem is that I want this data which is stored in browsers data to be valid as long as Chrome open. This master password needs to be cleared every time user closes the browser and to be asked every time it gets reopened.
I read that session storage is temporary and it gets cleared but it does not work for my extension. I also know that there is nothing to add in order to detect browser getting closed as it stops running your script.
Can you please help me with it? Is there such method that keeps data for a short time?
Since Manifest V3 removed the notion of persistent background pages. You can imitate this with chrome.storage.local. The only caveat regarding this is that it stores the variable in the extensions local storage which is still okay for that user.
One way to imitate a browser closing is by creating a chrome.runtime.port that is opened and then when the browser closes or the extension gets reloaded it will call onDisconnect for that port, and you can clear your chrome.storage.local.clear():
chrome.runtime.onConnect.addListener(port => port.onDisconnect.addListener(() => chrome.storage.local.clear()))
When the browser is launched, just connect:
chrome.runtime.connect(null, {})
That might unload itself when background script goes back to sleep, unfortunately, the only way to get passed that is to keep your own managed extension window that pops up. But that might be overkill for user experience.
I have a app JSF2/Richfaces4 with login page and many internal pages
for the normal enterprise. I don't know why, but when the user click
to save the login/password in the browser, some internal pages (3
until today) sometimes are loaded with some field autocompleted using
the same value of the password. Then, the user must clear the local
password saving to solve the problem. What do I need to do to explain
for the browser that it haven't to fill automatically these fields.
Actually, the form and input tag have "autocomplete=off" attribute, which seems not be honored by all browsers (as usual).
Another way is that the user turns of the auto-completion in his browser, which you maybe cannot expect them to do.
Maybe theses link help you out.
https://gist.github.com/runspired/b9fdf1fa74fc9fb4554418dea35718fe
https://www.20spokes.com/blog/what-to-do-when-chrome-ignores-autocomplete-off-on-your-form
When I enter user id and password in netsuite every time it asks me my security questions , how can I stop this happening every time. Other people in my team are not having similar issue so I wonder what needs to be changed in my settings
*Note: I am not having administrator role
NetSuite saves a cookie in your browser in order to recognize your machine and browser the next time you log on. If it does not find this cookie it will ask a security question. There are several conditions under which this can occur:
You log on using a different machine.
You use the same machine, but a different browser.
You use 'private browsing' or 'incognito' mode.
You use a browser extension or other program which automatically deletes your browser cache, or cookies, when you exit.
You have your browser itself set to empty cache on exit. E.G.: Chrome has a setting to "Keep local data only until you quit your browser"
Anything else that might interfere with cookies.
You'll need to check which of these apply to you and act accordingly. If you're still unsure what could be causing it, you could reset your browser to defaults, or install a completely new browser and test whether it still happens with that. You may need to disable or uninstall any browser extensions too.
I'm using this webmailer to check my private email:
https://webmailer.hosteurope.de/login.php
using FireFox as browser on several different computer systems.
However I have the problem with one of my computers:
Firefox IS saving the login data (login+password) but the next time I'm accessing the webmailer page this data is not used.
That means on this system I have to type my username+password everytime I
want to check my mails which is quite annoying.
Of course I've already tried the usual hints (Google was my friend) but the problem IS NOT that data is not saved! The problem is that saved login data is not used!
Any hints what my cause this problem?
ps: The misbehaving system is new and was configured with a preinstalled :-\ Win10 - all other systems are Win7. But I cannot imagine that this might be causing this behavior!? Firefox was manually installed by me on all systems. So no special settings that I applied.
Try going to Preferences -> Security -> Saved Logins... and check whether the correct domain name is stored. It could be that you saved the login information after you input them wrong. Sometimes when you input wrong username/password you get redirected to a separate page that informs you that you input the wrong credentials. This page sometimes has a login form. If you save the credentials when you are on that page they may only be filled on that page and not the main login page. For example, if you input wrong credentials on somedomain.com and get redirected to somedomain.com/wrong_password and save the credentials there, Firefox might only fill the form on the later page.
If this fails, try refreshing Firefox. Be careful to backup important data first. Usually they are restored automatically, but sometimes it fails. Instructions here: https://support.mozilla.org/t5/Procedures-to-diagnose-and-fix/Refresh-Firefox-reset-add-ons-and-settings/ta-p/23405
If everything fails, you can report it to Firefox at https://bugzilla.mozilla.org/
I know that the title can be better, but I don't know how to define my problem.
my problem is the next, I'm not sure if it's possible to do, but i suppose that it is.
I have some .pdf online and i want to protect them for third people.
My idea, instead of assign a password and show an input like this:
I want to send the password (or token) in the path. something like
file.pdf?tpw=aaaa-bbb-dddd
Is it possible? I'm using C# to create the pdf.
edit: the case
I have an application which create a folder with some pdf, those pdf can be uploaded or created here with a form. (this part works)
All this documents are stored in internet (global access) then I want to prevent that 3rd people or search engines (I'm reading about this, it doesn't looks like a big problem)
Then here is the problem, i want to some users can access to some pdf, for example
user K can access to pdf 33
user j can access to pdf 54
but not k to 54, etc.
my idea is send to the user (they should access throw the link) something like "https://domain.com/pdf/33.pdf?password=222222" and without this password cant access.
if is not possible to do it, i can create an "intermediate page" to put the links there.
and send the url like "http://domain.com/pdf/view.chtml?id=33&password=222222"
edit: and prevent the access if they type https://domain.com/pdf/33.pdf
EDIT 2: SOLUTION (at least per now)
store into the database for each file
- filename - user(in md5) - token (in sha1)
send to the user a link like www.domain.com/api/showpdf.chtml?user=XXXXX&token=KKKKKKKKKKKKKKK
When the user clicks on that just check in the database by the user and the token if any file exist, if is this case show the file.
To solve the problem with the direct access, we are going to put the files out of "localhost" folders
Thanks for all.
I don't think it is a good idea to GET your passwords, they will be visible, the password should only be sent once, start a user session in the server, which will then create a temporary ticket for the user, and this ticket should be sent on each request via POST.
Anyway, you'll need to use a database and store users, passwords, files, and per-file permissions for each user, you could use a file, but it's never a good idea to store the passwords in plain text. I guess you already have a database running, you'll only need to add a files and a per-file permissions table to it.
Also, you should never keep the real password in the database either, but just a checksum of it (SHA-1, or similar)