Open Bug 223636 Opened 21 years ago Updated 2 years ago

automatic login for HTTP authentication

Categories

(Toolkit :: Password Manager, enhancement, P5)

enhancement

Tracking

()

People

(Reporter: moz.n1, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: parity-safari, Whiteboard: [passwords:http-auth])

Attachments

(1 file, 2 obsolete files)

This is same as Bug 117592 That bug is for the password manager component in seamonkey, this one is to request the same feature for firebird's password manager. I was asked to file a seperate bug for firebird. http://forums.mozillazine.org/viewtopic.php?t=29189&start=29 From orig. bug: For pages where authentication is done via the "old school", pop up a dialog method, rather than with forms and cookies, there should be an option to automatically log in if the name/password pair is stored with the password manager. A checkbox "do not ask me again" should be added below the current "save this password" checkbox. If both are checked, silently login in the future. screenshot: http://bugzilla.mozilla.org/attachment.cgi?id=132646&action=view
Setting Hardware/OS to All/All.
OS: Windows XP → All
Hardware: PC → All
Adding keyword 'conversion' http://forums.mozillazine.org/viewtopic.php?p=347089#347089 Most of my coworkers face the same problem.
Keywords: conversion
Summary: [RFE] Automatically log into sites for which the name/password is stored (HTTP Basic Auth) → [RFE] Automatically log into sites for which the name/password is stored (HTTP Basi+c Auth)
Summary: [RFE] Automatically log into sites for which the name/password is stored (HTTP Basi+c Auth) → [RFE] Automatically log into sites for which the name/password is stored (HTTP Basic Auth)
This will need the ability to "uncheck" the box in some way other than removing it from the password manager completely.
Maybe we could add an icon to the statusbar indicating that the browser is currently sending authentication information. The user could also use this to switch login information, or to effectively "logout". It would be nice if this bug was expanded to include NTLM authentication as well.
Would it be possible to add a hidden pref accessible via about:config in the core, and leave any UI change (checkbox, status bar) for extensions?
Flags: blocking1.0?
+ing to get on bryner's radar, I'll let him decide if he wants to fix this.
Flags: blocking1.0? → blocking1.0+
Flags: blocking1.0+ → blocking1.0-
See also bug 231529, "Optionally enable unprompted NTLM authentication".
*** Bug 249112 has been marked as a duplicate of this bug. ***
With the fix for bug 231529, IE-parity has been attained. I guess this bug can still be left open as an RFE.. but the integrated windows auth. problem that caused this bug report has been solved. Removing conversion keyword.
Keywords: conversion
*** Bug 270918 has been marked as a duplicate of this bug. ***
resummarising
Summary: [RFE] Automatically log into sites for which the name/password is stored (HTTP Basic Auth) → [RFE] optionally enable unprompted http basic authentication (automatically log in when username/password is stored)
Assignee: bryner → nobody
Priority: P4 → --
QA Contact: davidpjames → password.manager
Summary: [RFE] optionally enable unprompted http basic authentication (automatically log in when username/password is stored) → optionally enable unprompted http basic authentication (automatically log in when username/password is stored)
Depends on: 265780
Whiteboard: [p-safari]
*** Bug 341105 has been marked as a duplicate of this bug. ***
Ironic that because Safari has this feature and Firefox doesn't, I often end up using Safari to access Mozilla Corp's internal wiki ;)
Flags: blocking1.9?
Flags: blocking1.9? → blocking1.9-
Whiteboard: [p-safari] → [wanted-1.9] [p-safari]
anyone it is working on it? i need this feature, any workaround to make this automatic anyway? Thanks.
(In reply to comment #3) > This will need the ability to "uncheck" the box in some way other than removing > it from the password manager completely. I suggest using URLs like http://user1@example.org, then "unchecking" would be easy. Unfortunately Firefox (2.0.0.3, haven’t tried a nightly build) doesn’t use the stored password with URLs like this. Also, the user is prompted if he really wants to login as user1 (bug 377786).
Apparently there's an extension that does this: http://www.efinke.com/addons/autoauth/
Assignee: nobody → dolske
Target Milestone: --- → Firefox 3
Assignee: dolske → nobody
Flags: wanted-firefox3+
Whiteboard: [wanted-1.9] [p-safari] → [p-safari]
Blocks: 267203
Product: Firefox → Toolkit
Target Milestone: mozilla1.9 → mozilla2.0
Updating summary. One special case of this is for proxy authentication. We might want to consider having HTTP authentication default to always-prompt, but proxy-auth default to auto-login... My rough reasoning is that prompting for HTTP auth might be wanted as a safety-check step (eg, against CSRF), whereas for most people prompting for proxy auth is just an annoyance.
Summary: optionally enable unprompted http basic authentication (automatically log in when username/password is stored) → automatic login for HTTP/proxy authentication
That's a pretty weak CSRF defense. We shouldn't keep the prompt if it's just for CSRF defense.
We could probably do something with making HTTP auth automatic when it's the same-origin as the page, but still prompt otherwise. Not sure what the full UI should be, just noting that we could be more liberal with proxy auth than HTTP auth. Like I said, "rough reasoning." :)
FWIW, I voted for this bug because I want unprompted HTTP auth. I frequently have a page in my session store that I have the password saved for, and I'd like the login manager to just submit it for me without a dialog.
Assignee: nobody → dolske
Target Milestone: mozilla2.0 → mozilla1.9.2
Attached patch Patch v.1 (WIP) (obsolete) (deleted) — Splinter Review
This patch implements backend support for having logins automatically submit in HTTP auth, and makes promptAuth() skip the prompt when it's filled with an autologin login. Three main areas of work before this can land: * Want doorhanger UI so that it's easy to turn off automatic login * Need to figure out UI for enabling automatic login * Need to implement a way to suppress automatic login when we try but it fails (eg, if you password expired). It would also be nice to figure out if/how automatic form logins should work. That's for a separate bug, but would be good to make sure we don't have to change the DB schema in a complicated way.
Depends on: 513408
Bug 521467 has an alternative fix.
> * Need to implement a way to suppress automatic login when we > try but it fails (eg, if you password expired). My patch has that.
Is this bug related to the just-fixed-on-trunk bug 521467?
Yes. That bug allows to automatically log in to your *proxy* without prompt. It does not cover HTTP web servers (which have very different security and privacy characteristics. The code there helps with the network code to notify us about login failures, which dolske referred to in comment 23 as: > * Need to implement a way to suppress automatic login when we try but it > fails (eg, if you password expired). It does not help with the rest of the code needed here.
Hi, Is there a patch for this that I can try in my Firefox installation? Thanks and Regards, Vinod.
Attached patch Patch v.2 (obsolete) (deleted) — Splinter Review
Updated patch. Hitting some odd breakage, though, in that I keep getting |undefined| for .autoLogin. Eg, with the logging in this patch I get: ... PwMgr mozStorage: _findLogins: returning 1 logins PwMgr mozStorage: ZZZ logins[0].autoLogin is: true Pwmgr Prompter: found 1 matching logins. Pwmgr Prompter: ZZZ selectedLogin.autoLogin is: undefined Not sure what's going wrong. :-/
Attachment #380553 - Attachment is obsolete: true
Attached patch Patch v.3 (deleted) — Splinter Review
Grr. Was missing a QI. Problem fixed. I think this is mostly done, just a few things to check and write tests. Also considering only having autoauth working for top level documents, so that embedded images/iframes would not log in automatically (perhaps only when when eTLD+1s differ?)
Attachment #449338 - Attachment is obsolete: true
Attachment #449359 - Flags: feedback?(paul)
Comment on attachment 449359 [details] [diff] [review] Patch v.3 >+ _dbMigrateToVersion5 : function () { >+ // Add the new column only if needed. >+ if (!this._dbColumnExists("autoLogin")) { >+ // XXX integer seems simplest here (0=false, 1=true), but maybe this >+ // should be text. eg "yes/no/never" or for storing URLs for form >+ // logins (ie, only autosubmit on certain URLs)? >+ this._dbConnection.executeSimpleSQL( >+ "ALTER TABLE moz_logins ADD COLUMN autoLogin INTEGER"); >+ } I had a similar question - we could use "boolean" types instead of 0/1. I think internally it's the same to sqlite. But if we do go for a 3-state flag, then we probably shouldn't do text. Keep them as ints and define some constants. Not sure how I feel about storing urls...
Attachment #449359 - Flags: feedback?(paul) → feedback+
Flags: wanted-fennec1.0?
Flags: wanted-fennec1.0?
Any news here?
FWIW, automatic HTTP proxy auth is implemented as part of Bug 521467. You just need to set pref "signon.autologin.proxy" = true (Boolean). Bug 646452 is about making it work by default.
Summary: automatic login for HTTP/proxy authentication → automatic login for HTTP authentication
(clearing assignment of bugs I'm no long planning to work on)
Assignee: dolske → nobody
I think that we can use the fix from Bug 521467 here. That fix gave us the convenient signon.autologin.proxy pref, so it should be pretty easy to add an autologin checkbox to the proxy dialog. I'll try this out later.
Whiteboard: [p-safari] → [passwords:http-auth][parity-safari]
Target Milestone: mozilla1.9.2 → ---
Priority: -- → P5
Mass bug change to replace various 'parity' whiteboard flags with the new canonical keywords. (See bug 1443764 comment 13.)
Keywords: parity-safari
Whiteboard: [passwords:http-auth][parity-safari] → [passwords:http-auth]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: