Closed
Bug 65947
Opened 24 years ago
Closed 23 years ago
form password is remembered when hitting back button
Categories
(Core :: DOM: Navigation, defect, P3)
Core
DOM: Navigation
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: bugzilla, Assigned: radha)
References
()
Details
(Whiteboard: fix in hand)
Attachments
(1 file)
(deleted),
patch
|
Details | Diff | Splinter Review |
if you go to:
http://gemal4.sprawl.dk/
the page outputs:
Cache-control: no-cache
Pragma: no-cache
but if you enter some text in the login and password and tries to login you get
an error. But when you press Back the password and login is still there.
Expected:
In other browsers when you press back to a page that has nocache the page is
reloaded.
Comment 1•24 years ago
|
||
the summary is incorrect, not sure what it's supposed to read though, i'll leave
it up to you.
Comment 2•24 years ago
|
||
Maybe the summary is better now, but marking invalid. And it isn't cache
related, it's form related.
When pressing back, Mozilla fills the form with the previously entered value,
which is a very Good Thing! If you fill out a form, submit it, but made a
mistake and go back, you wouldn't want to fill in everything again.
If you want to get rid of these values, either add a "reset" button to that
web page and press it, or reload the page. If pressing the reload button
doesn't work, click in the location bar and press the Enter key.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
Summary: mozilla does respect no caching headers → Mozilla doesn't respect any cacheing headers
Reporter | ||
Comment 3•24 years ago
|
||
This is really bad bad...
What about when people leave the machine, and you can just go to the machine,
press back a couple of times and log into a application because the
username/password is there. That's why login pages always should use nocache.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Comment 4•24 years ago
|
||
You should never ever leave your machine unlocked. :)
Okay, reassigning to Form Submission then, and changing summary again.
I really don't think this is a cache issue. The password is not part of the
web page (the HTML file), and that's all that is cached.
And what about the password manager? It also remembers passwords, and here
it is much more important not to leave without locking the desktop.
(Unless you use encryption for storing the passwords and let the local password
expire every few minutes.)
Assignee: neeti → rods
Status: REOPENED → NEW
Component: Networking: Cache → Form Submission
QA Contact: gordon → vladimire
Summary: Mozilla doesn't respect any cacheing headers → form password is remembered when hitting back button
Reporter | ||
Comment 5•24 years ago
|
||
in my opinion this is a network cache problem. Since the login page is nocache,
pressing back to the login page on other pages should instruct mozilla to reget
the login page since it's not in the cache, because of the nocache.
Comment 8•24 years ago
|
||
Radha, it sounds like maybe here session history should get notified when Netlib
recieves No-Cache headers so that it doesn't saves form control state for that
page? Does that sounds right?
Assignee | ||
Comment 9•24 years ago
|
||
Eric, That does sound right. we can probably use the loadtypes for that purpose.
nsDSURIContentListener::DoContent() can look in to the nsiRequest or the channel
to figure that it was a no-cache request and set a loadtype(BYPASS_CACHE or
something) that will add the page to history but not save the form values. we
need to check for that flag in nsDOcSHell::PersistLayoutHistoryState()
Another way is to save the values in History, but not restore it. LoaadType can
be set to one of the existing types. See nsDocShell:Embed() and avoid restoring
it.
cc'ing gordon. Today in a meeting with him, there was a mention of caching data
though the page says "No-Cache". Darin, Gordo, Can you clarify what happens in
this situation.
Comment 10•24 years ago
|
||
Currently, if the server response says "no-cache" then we don't put it in the
cache. In the future, this may change for POST transactions.
Also, I don't believe that nsIHTTPChannel::BYPASS_CACHE is honored. It is just
cruft that should be removed from nsIHTTPChannel. If this is the behavior that
you want then you can use nsIChannel::FORCE_RELOAD in the load attributes.
Updated•24 years ago
|
Assignee: pollmann → radha
Comment 11•24 years ago
|
||
These changes are a bit out of my area of expertise. Handing to the SH guru. :)
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P3
Comment 12•24 years ago
|
||
Cc mstoltz.
See also bug 60877 (r. invalid), "sign-out from hotmail and then clicking on
back button lands up inside the user's mail account".
I don't like the idea of storing POST forms, but not normal pages, when the no-
cache header is present. That's the opposite of what we do now for pages
without no-cache, and it just seems weird.
Comment 13•24 years ago
|
||
our current plan is to store POST responses in the cache in such a way that they
are only retreivable via session history. no-cache pages will be stored in the
cache as well, but with an expiration time = now. session history tells HTTP
not to validate content, which means that going back to a page with no-cache
content, will result in content being fetched from the cache.
Comment 14•24 years ago
|
||
That seems right to me.
Assignee | ||
Comment 15•24 years ago
|
||
This bug is contrary to arguments made in bug 56346. I guess this should be
marked "won't fix"?
Assignee | ||
Comment 16•24 years ago
|
||
I tried to go to the page above and get a forbidden message. Any otehr good test
case with no-cache controls?
Reporter | ||
Updated•24 years ago
|
Assignee | ||
Comment 17•24 years ago
|
||
I see that nav 4.7 and IE don't restore the form values when going back to
the above page. But, based on Darin's comments above on the cache policy and SH
usage of it, I'm marking this bug Won't fix. It is a cache-policy issue rather
than a problem with back/forward buttons or a bug in SH.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → WONTFIX
Reporter | ||
Comment 18•24 years ago
|
||
I'm not sure if I understand this correct. But:
This is really really bad for use of Mozilla on public PC's. We have:
Cache-control: no-cache
Pragma: no-cache
on the login page of our webmail application so that people cant just press
"Back" and login as other people.
What's the solution for us? Disable use of Mozilla?
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Assignee | ||
Comment 19•24 years ago
|
||
We discussed this last week in a meeting. This is primarily a end-user feature
issue than a bug in cache or form value restoration. In public PC situations,
different profile can be used by each user, thus when a user exits, all the data
for that profile is deleted which includes SH and form values. Another argument
to the same problem is, what if the user submitted a wrong url and passwrod and
wanted to go back and correct it. An option of using Pref is also being
considered. Marketing is trying to help arrive at a solution for this.
Status: REOPENED → ASSIGNED
Target Milestone: mozilla0.9.1 → mozilla1.0
Comment 20•23 years ago
|
||
I don't understand how preferences should help.
I think of using webmail in i-cafes or on fairs or conferences.
So people reading mail somewhere always have to switch browser settings?
I think this is not useable because normal PC _users_ don't think about
this security problem.
Comment 21•23 years ago
|
||
if you are concerned about privacy in such cases, just close the browser window.
that will close the most obvious security "holes."
Reporter | ||
Comment 22•23 years ago
|
||
many (most) public machine doesn't allow you to close the browser window.
Still think this is really really bad for mozilla security...
Comment 23•23 years ago
|
||
I tend to agree with Henrik about this. The argument in bug 56346 doesn't
mention passwords. It seems reasonable that history entries should be cached,
but password fields should be an exception. THe contents of a password field
should not be remembered in history. Let's do what NS4 and IE5 do and not
remember password data. Let's not deliberately make Mozilla less secure than NS4.
Comment 24•23 years ago
|
||
Comment 25•23 years ago
|
||
FWIW, this patch makes us behave like IE and forget passwords. This is
different than Nav 4.x's behavior. Nav 4.x does indeed remember passwords. Not
that I think this is a good idea, just noticed... :)
So... since the problem and fix are layout, I'd be willing to take this bug if
you think this is a good solution, Radha. Nominating for 0.9.2 as it improves
security...
Severity: normal → major
Component: Form Submission → History: Session
Keywords: mozilla0.9.2
OS: Windows 2000 → All
Hardware: PC → All
Whiteboard: fix in hand
Reporter | ||
Comment 26•23 years ago
|
||
Wouldn't it be possible to just remember password as long as the page you go
back is not using "Cache-control: no-cache" or "Pragma: no-cache". That would
solve my problems.
Assignee | ||
Comment 27•23 years ago
|
||
Remembering passwords is not related to cache controls. I don't think there is a
way thro' nsICachingChannel or any other interface to check that. Eric, I'm OK
if you want to take over this bug and fix it. But, I'm still not convinced that
this is a issue in public machines. I don't think the current behavior makes N6
less secure either. Now that dynamic profile switching is available, SH and
related form values are destroyed when the profile is changed. Sites that have
good security measures will not allow you to go back into the site, once you log
off. For example, go to netcenter, login, do your work, sign off and click back,
you are redirected to the login page. From a embedding point of view (like in
kiosk modes), we don't believe this is an issue.
Comment 28•23 years ago
|
||
WHat if the user forgets to sign off?
Assignee | ||
Comment 29•23 years ago
|
||
That is user's mistake. if you go somewhere else from your webmail without
signing off and click back, you will go back into the webmail session. we
can't add features to cover user's stupidity. Some bank sites have a timer based
logoff. My bank's website will automatically sign me off, if I don't perform any
action for 1.5 minutes.
Comment 30•23 years ago
|
||
Ok, really, really good sites use session-ids even for login-screens.
But I've not seen a single site that does so yet.
Radha, I tried (with latest nightly-build) reading my mails using the
webmail-interface of netcenter, signed out, chose the login-page from
session-history, clicked on sign in (without needing to retype my password) and
was logged in again.
I really can't afford to tell any user to use N6 or mozilla as long as this
security risk exists!
I really encourage Eric to take over this bug and to fix it, please!
P.S.: I'm not talking about users who forget to sign off, I talk about people,
seeing a browser, using webmail, signing off, feeling secure. No one really
wants to think about what to do with browser A and/or browser B to make him
forget session history!
Comment 31•23 years ago
|
||
Oops, well... Sorry for the short notice, but I am on vacation now through
8-July-2001.
I won't be able to make sure this gets in anytime soon. Radha, I'll leave it to
you to see if the patch does something reasonable (never save passwords in
session history), and if so, please feel free to get r/sr and check it in.
Comment 32•23 years ago
|
||
This issue appears to be related to Gagan's "clarity" bug, namely bug 90288 .
That bug is pdt+ -- if you think the two issues are related, let's try and land
Pollmann's patch too. If they are dupes of one another, then so be it --
someone should conclude this and mark it so. But note that bug 90288 makes
*strict* mention of only the pragma directive not being respected. This bug
suggests a bit more, and from what I understand from Pollmann's patch, fixes
stuff with passwords. The real problem is respecting HTTP-EQUIV directives that
tell us not to cache pages, not uniquely passwords related stuff. Cc'ing Gagan.
Comment 33•23 years ago
|
||
I am not completely convinced that forgetting passwords in SH is a good thing.
But then I'd leave that as a debate to be discussed separately. Just to clarify
bug 90288 deals with not caching (even for SH purposes) a "pragma: no-cache"
page. This means hitting back button on a page that has that will indeed be
refetched. Would let eric say if we try and refill form elements on a refetched
page. So my changes in bug 90288 may or may not affect this one directly.
Comment 34•23 years ago
|
||
PSM security comments.
About gagan's previous comment:
My opinion is that if we refetch the page (especially as a result of a pragma no
cache) then we should not use any remembered form values.
About Alexander Helm's comment:
If indeed it is still the case that one can log on to web mail, read it, log out
then be able to log back in in the way Alexander described, then that's terribly
bad.
Comment 35•23 years ago
|
||
Gagan says "r=gagan@netscape.com" and Vidur says "sr=vidur@netscape.com".
Checking in to the trunk and marking bug FIXED.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 23 years ago
Resolution: --- → FIXED
Comment 36•23 years ago
|
||
This is a bit late, but I'd like to point out that this is possibly too
aggressive. Occasionally I'll do something like misspell my username in
bugzilla, and go back to change it.
We already have an attribute which can be added to forms to disable the password
manager, and ie honors that as well. It makes much more sense to act on that,
instead. If its in the password manager, session history not caching it won't
make a difference.
(The attribute is autocomplete=off, see bug 63961)
I'll note for the record that the page in the url bar here has autocomplete=off
on the appropriate form.
Basing what we do on that attribute makes more sense to me, although very quick
test with ie seems to indicate that it does what we now do, and never caches the
password in session history.
Comment 37•23 years ago
|
||
This doesn't appear to be completely fixed in one edge case - see bug 92532.
Comment 38•23 years ago
|
||
verifying fixed on build 2001-08-06-04-trunk. Its not remembering the password
any more on the page in the URL.
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 39•23 years ago
|
||
Bradley: if you think this is the wrong way to solving the problem please open a
new bug. Otherwise you comments from 2001-07-19 17:38 will be forgotten.
Comment 40•23 years ago
|
||
Component: History: Session → Document Navigation
QA Contact: vladimire → docshell
You need to log in
before you can comment on or make changes to this bug.
Description
•