Sumo Consulting^2.0

Today I came across a gotcha with the way Firefox saves username and password information for login forms. This may also be a problem with IE and other browsers/toolbar/add ons, but I've never used this feature in anything but Firefox.

Here's the situation: Firefox saves username/password combinations per domain, not per individual page. This means that it will attempt to use the same username and password on a member login (/members/login.cfm) and an admin console (/admin/login.cfm). That's not really a big deal because it doesn't really create a security concern, and if you have different logins for the two forms, you just end up re-typing things.

Here's the problem: Say you are editing a user's account in the admin section of your website/intranet/application. If the field names match the names in your login form (ie: username/password), then firefox will OVERWRITE the value specified in the value="" attribute of the INPUT tag and will insert your saved login information instead. That's right, it overwrites any values you've programatically populated the form with

If you aren't paying close attention when you edit a user, it's very easy to submit the form with the newly inserted login info in it. Granted, there should be some biz logic that prevents the form submission from being successful, but I'll bet there are plenty of systems out there today without this vital bit of logic. If you suddenly find that 10 accounts in your application share the same username and password, this could very well be the reason.

The solution: This is probably a good idea either way, but the solution I've used is to make sure that your login forms have distinct and different field names than your administration tool's user profile edit forms. A quick solution to a very odd problem.

• Comments (4)