Item13380: Login "spams" remembered passwords
Priority: Normal
Current State: Closed
Released In: 2.1.5
Target Release: patch
When you login, the address used is derived from the page that triggered the authentication request; for example, to login here I clicked "log in" on the
WebHome page of the Tasks web, so the login url was
foswiki.org/bin/login/Tasks/WebHome
. If the browser is remembering passwords, it will cache that password for that specific web address. As a result, you end up with multiple remembered passwords (generally all the same) for different pages on the same site.
Not a disaster, just very untidy.
--
CrawfordCurrie - 22 Apr 2015
Depends on the browser. Chrome remembers passwords per domain, not per url. Which browser have you been using?
--
MichaelDaum - 22 Apr 2015
Chrome. 41.0.2272.101
--
CrawfordCurrie - 23 Apr 2015
This fix seems to resolve the issue: It will need to be done for each login manager. I'm a little hesitant to check it in.
diff --git a/core/lib/Foswiki/LoginManager/TemplateLogin.pm b/core/lib/Foswiki/LoginManager/TemplateLogin.pm
index 4228783..34ae35a 100755
--- a/core/lib/Foswiki/LoginManager/TemplateLogin.pm
+++ b/core/lib/Foswiki/LoginManager/TemplateLogin.pm
@@ -128,7 +128,7 @@ sub loginUrl {
my $session = $this->{session};
my $topic = $session->{topicName};
my $web = $session->{webName};
- return $session->getScriptUrl( 0, 'login', $web, $topic,
+ return $session->getScriptUrl( 0, 'login', undef, undef,
foswiki_origin => _packRequest($session) );
}
--
GeorgeClark - 12 Dec 2017
This seems to work okay. The
foswiki_origin
is used so the redirect after login is correct. But I'm not sure if there are other side effects. I'll commit this for 2.1.5 if someone would validate it. Thanks.
--
GeorgeClark - 12 Dec 2017