A tricky side effect of Firefox’s “remember password” feature

I think this is worth sharing.

I have a page that allows customer to modify their account password. The password field and ‘password again’ field are pre-filled with user’s password (encrypted). (I know this is not the best practice and they should be left blank – this is a purchased software package).

What happens is that if no change made to the password, the client script that verifies password match always report unmatched password. The HTML source code does show both password fields are the same. But somehow this code

document.getElementById(“password”).value

always gets user’s real password, not the encrypted one in the HTML source code. It turns out that it’s the Firefox’s “Remember Password” feature automatically puts in the remembered password, regardless the specified value in the source.

Lesson learned: use different ID for login and password change screen. However the best practice is to leave it blank and not to update it if password is blank.

Advertisements
This entry was posted in ASP.NET. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s