Page MenuHomePhabricator
Create Task
Maniphest T18345

Browsers automatically filling in "Old password:" break Special:Preferences
Closed, DeclinedPublic
Actions

Description

As you may be aware, some of the more recent and popular browsers (unlike lynx) fill in saved usernames & passwords automatically on login pages. This does also happen on Special:Preferences; browsers fill in "Old password:" in the section "User profile" -> "Change password". When the user changes anything in his preferences, but omit changing anything in the "Change password" section, saving their preferences fail ("Incorrect password entered. Please try again."). This is because MediaWiki assumes that the user wants a new password if he fills in any of the "Change password"-fields; however browsers do not automatically fill in the "New password:" and "Retype new password:" so it looks to MediaWiki as if the user tried to change his password to void (which is an invalid request).

I think a more practical behavior for MediaWiki would be to ignore a "Change password"-request, if only "Old password:" has been filled in.

Version: unspecified
Severity: normal

Details

Reference
bz16345

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 10:28 PM
bzimport added a project: MediaWiki-Special-pages.
bzimport set Reference to bz16345.
bzimport added a subscriber: Unknown Object (MLST).
Tobias created this task.Nov 15 2008, 8:32 AM
aaron added a comment.Nov 15 2008, 8:34 AM

This is clearly wrong behavior on the part of the browsers. I think this was discussed recently in a duplicate bug.

Tobias added a comment.Nov 15 2008, 10:38 AM

Well, just because some browsers don't do their job correctly doesn't mean we can just look away. If Internet Explorer isn't compliant to XHTML specifications we also can't just say "Sorry, IE is not supported as it isn't compliant to standards".
I've encountered multiple persons having this problem and we can't just expect them to solve this problem themselves.

Besides, I don't really see the disadvantage of my proposal: It should be obvious to everyone that you can't change your password to void, and therefore it is unnecessary to warn people about it.

aaron added a comment.Nov 15 2008, 10:54 AM

XHTML isn't a good example. The issue her is a browser performing user behavior for the user, in a way that the server cannot tell if it a the browser or the user. Also, we are dealing with passwords, so I'd be inherently careful about hacks around sloppy browser features.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL