Browser password manager on password-reset page not saving correct site location

Bug
1

The issue I’m seeing may need to be moved to a new topic.

Repro:

  1. Get invited to a discourse.
  2. Accept by clicking a link.
  3. receive email saying “set your password”
  4. click the link and set a password.
  5. browsers will offer to save the password, but the email isn’t anywhere, making the resulting saved credential an orphan, unable to get used.
2

Yes that is a completely different issue. I am not sure the invite flow can be captured by any known password manager. I wonder if putting the email on the page as a form field, but read-only, would work? @techapj can you put on your list a quick hack to test this theory?

1 Like
3

Okay, I am able to repro this.

The issue is that password manager is saving site location as http://forum.example.com/users/password-reset, so the credential is not getting used on http://forum.example.com. We somehow need to tell password manager to save site location as http://forum.example.com. This may be tricky.

Added on my list.

5 Likes
4

My password managers don’t care much about the full URL, only the domain.tld

What happens a lot is that the password is saved without an email, preventing it from being used (or preventing Keychain on a mac from saving anything at all)

5

We are providing username (instead of email) in the form. I just checked and Chrome default password manager is saving the username password combination.

2 Likes