I have a app JSF2/Richfaces4 with login page and many internal pages
for the normal enterprise. I don't know why, but when the user click
to save the login/password in the browser, some internal pages (3
until today) sometimes are loaded with some field autocompleted using
the same value of the password. Then, the user must clear the local
password saving to solve the problem. What do I need to do to explain
for the browser that it haven't to fill automatically these fields.
Actually, the form and input tag have "autocomplete=off" attribute, which seems not be honored by all browsers (as usual).
Another way is that the user turns of the auto-completion in his browser, which you maybe cannot expect them to do.
Maybe theses link help you out.
https://gist.github.com/runspired/b9fdf1fa74fc9fb4554418dea35718fe
https://www.20spokes.com/blog/what-to-do-when-chrome-ignores-autocomplete-off-on-your-form
Related
I have created a chrome extension for generating passwords and outputting the phonetic version as well.
Basicly the extension creates the password and displays it in one DIV and the phonetic version in another, so if password was 'ac3', password DIV would show 'ac3' and phonetic DIV would show 'Alpha, Charley, Three'.
The problem is that as soon as I click outside the extension popup it disappears and I loose the current password.
My first attempt to sort this was to use chrome.storage.local.set after creating the password and then re-populating the password DIV via chrome.storage.local.get when you click on the extension again, this works great, but the data is available from any tab within the browser (even separate windows).
I understand that storing the password in any way is insecure, but wanted to find a way to limit the data stored to the current tab rather than globally.
I haven't found a way to keep the extension popup displayed to allow a user to copy/paste both DIVs.
Anyone got any pointers?
Also anyone able to point me in the direction of wiping the local storage value after a set amount of time? Just to make things slightly more secure.
This extension is used mainly for admin work, where you need to create a new password for a user, copy/paste it into a portal and then SMS/Email the password to the end user.
Data stored in chrome.storage is only available to your own extension, so it's not any less secure than any other way of storing it.
Just store it via chrome.storage.local.set() and then delete it a few minutes later, if unused. You'll have to set a deletion mechanism in background.js via chrome.runtime.sendMessage or chrome.alarms
I had also tried sessionStorage in the popup, but sadly it's lost as soon as the popup is closed. Same goes for history.replaceState.
I'm using this webmailer to check my private email:
https://webmailer.hosteurope.de/login.php
using FireFox as browser on several different computer systems.
However I have the problem with one of my computers:
Firefox IS saving the login data (login+password) but the next time I'm accessing the webmailer page this data is not used.
That means on this system I have to type my username+password everytime I
want to check my mails which is quite annoying.
Of course I've already tried the usual hints (Google was my friend) but the problem IS NOT that data is not saved! The problem is that saved login data is not used!
Any hints what my cause this problem?
ps: The misbehaving system is new and was configured with a preinstalled :-\ Win10 - all other systems are Win7. But I cannot imagine that this might be causing this behavior!? Firefox was manually installed by me on all systems. So no special settings that I applied.
Try going to Preferences -> Security -> Saved Logins... and check whether the correct domain name is stored. It could be that you saved the login information after you input them wrong. Sometimes when you input wrong username/password you get redirected to a separate page that informs you that you input the wrong credentials. This page sometimes has a login form. If you save the credentials when you are on that page they may only be filled on that page and not the main login page. For example, if you input wrong credentials on somedomain.com and get redirected to somedomain.com/wrong_password and save the credentials there, Firefox might only fill the form on the later page.
If this fails, try refreshing Firefox. Be careful to backup important data first. Usually they are restored automatically, but sometimes it fails. Instructions here: https://support.mozilla.org/t5/Procedures-to-diagnose-and-fix/Refresh-Firefox-reset-add-ons-and-settings/ta-p/23405
If everything fails, you can report it to Firefox at https://bugzilla.mozilla.org/
I am working on a financial web application.
There is a client requirement that if user is logged in and already browsing the app. If he copies and pastes the browser url to another window. In another window, the user should get logged out.
I know http is stateless and there is no inbuilt browser mechanism (cookies etc) to solve it, this needs to be implemented by programming only. I guess people have already solved this problem. Do you know know possible solution to solve this issue?
Sadly, there is no solution.
The browser keeps the cookies and all of the user informations for all the Tabs & Windows you open. It will clear the datas (like cookies that ask to be removed after the session) as soon as you close ALL tabs and windows of your browser. Note that if the user use another browser, the behaviour your want will be respected — browsers dnn't (yet ?) share this kind of informations.
It is simply not possible to solve the problem with code, and you'll have to find work-around.
As a researcher, I've seen one of these solutions : de-auth the user on the HTTP_REFERER (Apache Env. Variable). As soon as the referer was not the application itself (except for the login form), the user was de-authed. But take care of it : the Referer is an info sent by the browser. And no information sent by the browser should be trusted :). The advice remains, if only you want to use Javascript. You'll find someone to use a JS-disabled-browser to bypass your verification.
That's why Application Development is not yet dead ;)
Cheers.
K.
So how do you maintain the form security about posting data to different page problem? For instance you have a member and he/she tries to change the personal settings and you redirected member to
www.domain.com/member/change/member_id
member changed the values and post the data to another page by changing the action with firebug or something else. For instance
www.domain.com/member/change/member_id_2
How do you handle this problem without using sessions?
This problem arises when there are no server side validations!
So, the solution is to have server side validations.
Why not use Session state? It's designed for that.
Alternatively use cookies or URL's with unique session style ID embedded in it, which allows you to tie it back to a specific user.
How do you handle members without session?
Before modifying anything, check if the current user has the right to do so. For example, if you're user #1 and your details are at /members/change/1, you post to the same url, and with firebug you change the form to point to /members/change/2. When processing the form, you have to check if the userid in the form is the current user's id, and if not, display an error.
You could crypt the identity information (member_id) and add it as parameter or url path. When the request is posted to the member_id form, you can verify that the crypted member_id (which is part of the request) matches the member_id.
I initially designed my site to show a login box at the top of the page if the user was not authenticated (e.g. how reddit.com works).
I encountered a user who was having trouble with their browser's storage of their password because after a password change because their browser had stored their login information at different urls on the website. Even after the user typed correctly the new login information at one url, and the browser updated it, there would be other urls at which the browser had the incorrect login information.
This would also cause problems with sites that have a login box on their main page, and a special login page -- especially if the user front page login box is sent to the login page.
Is this a small enough case not to bother with, or should there only be one url at which a user can login to prevent this problem, especially for less technically-savvy audiences?
There should be one login page that every other page accessible sans login links to. It standardizes the process of logging in and reduces the kind of confusion your user experienced. It conforms to a convention that all the browsers are using with respect to saving passwords as well. Don't really see how you can go wrong that way.
Most sites use a single "sign in" button that takes you to the canonical login page.
If you want a signin box on every page that the browser can remember, consider using an iframe to hold the form.
I believe that if there is any way to use only ONE login location you should try to do it that way.
As you yourself said it's quite hard for browsers to determine what to do with stored passwords for sites with multiple login locations. There are possibly other problems and all of them are solved by having exactly one login location.
If you need to provide login from more places, just use redirection. But getting "in" your system should be done from one single place.
Just have one login page and have the other pages on your site linking to it. It keeps it simple for end users as there is only one page and easy for you to manage as you one have one login page.