save password alert in user administration dialog

Bug #1020941 reported by Matthias Ronge on 2012-07-04
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

When, in the “User” page, you click “edit user” and then on the “User groups” link, Firefox alerts and asks if you want to save the password. This is confusing and annoying. When adding a user group, nothing at all happens until you click “close”. In this moment, the dialog to save the password pops up again.

It would be very desirable not to submit the HTML form except when clicking the button “Save”. When clicking an “add” image button in the pop up window, there should be any visible response.

Furthermore, because of the browser considering the user change dialog as a login form, this adds a users credentials to the browser password safe.

Related branches

Changed in goobi-production:
status: New → Triaged
importance: Undecided → High

Modern browsers will offer a password saving dialog on every submit event if the submitted form contains an input field of type password. There is no way to disable this behavior with plain HTML forms. Maybe a separate password changing dialog is a solution.

Some findings:

1. Seems like all browsers (except Opera) skip saving the password if the 'autocomplete="off"' attribute is given for the password field. The currently used JSF implementation unfortunately doesn't allow to specify this attribute.

2. All browsers skip password saving if there is more then one password field.

description: updated

As described in not all browsers stop saving passwords if there is more than one password field available. The only reasonable way to stop browsers from doing that, is to use the autocomplete attribute. As this is not possible with JSF 1.x standard elements, a custom UIComponentTag renderer has to be developed:

summary: - save password alert in firefox
+ save password alert in user administration dialog
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers