Item13380: Login "spams" remembered passwords

When you login, the address used is derived from the page that triggered the authentication request; for example, to login here I clicked "log in" on the WebHome page of the Tasks web, so the login url was foswiki.org/bin/login/Tasks/WebHome. If the browser is remembering passwords, it will cache that password for that specific web address. As a result, you end up with multiple remembered passwords (generally all the same) for different pages on the same site.

Not a disaster, just very untidy.

-- CrawfordCurrie - 22 Apr 2015

Depends on the browser. Chrome remembers passwords per domain, not per url. Which browser have you been using?

-- MichaelDaum - 22 Apr 2015

Chrome. 41.0.2272.101

-- CrawfordCurrie - 23 Apr 2015

This fix seems to resolve the issue: It will need to be done for each login manager. I'm a little hesitant to check it in.

diff --git a/core/lib/Foswiki/LoginManager/TemplateLogin.pm b/core/lib/Foswiki/LoginManager/TemplateLogin.pm
index 4228783..34ae35a 100755
--- a/core/lib/Foswiki/LoginManager/TemplateLogin.pm
+++ b/core/lib/Foswiki/LoginManager/TemplateLogin.pm
@@ -128,7 +128,7 @@ sub loginUrl {
     my $session = $this->{session};
     my $topic   = $session->{topicName};
     my $web     = $session->{webName};
-    return $session->getScriptUrl( 0, 'login', $web, $topic,
+    return $session->getScriptUrl( 0, 'login', undef, undef,
         foswiki_origin => _packRequest($session) );
 }
 

-- GeorgeClark - 12 Dec 2017

This seems to work okay. The foswiki_origin is used so the redirect after login is correct. But I'm not sure if there are other side effects. I'll commit this for 2.1.5 if someone would validate it. Thanks.

-- GeorgeClark - 12 Dec 2017

Commenting is disabled while not logged in