"Please confirm which user you are changing the password for"

Question

So I just made a change password form for my rails app. It's just like any other very typical password change form.

So after a few times testing it out I started seeing a popup box saying

"Please confirm which user you are changing the password for"

Now this really freaked me out a bit since I know I did not write any code to do such things and I definitely do not want users to change other users' passwords.

I soon found out it was firefox's password manager. So now I'm calmed down about it, but still, I don't want this to happen to other people using my site.

How does firefox know it's changing a password anyways? Maybe it's the names of my password fields or maybe even my forms action url (/account/change_password)? Is there a way to make it not do this? Has anyone else had experience with this?

Answer 1

Put below line inside form, it will work:

<input type ="text" name="username" value="" style="display:none">

Answer 2

I didn't manage to make it work with the hidden field containing the username. I needed to have a text input containing the associated username and Firefox won't ask you for which user you want to change password. Moreover, that text input can be hidden using basic CSS.

Ex:

<html>
<form action="#" method="post">
    <input type="text" name="user" value="chose" style="display: none" />
    Pass: <input type="password" name="old_pass"/>
    New pass: <input type="password" name="pass"/>
    <input type="submit"/>
</form>
</html>

Answer 3

When I had the same problem (on a change password form, never the login form) the only way I could avoid this popup was to disable autocompletion on the password change form:

<form autocomplete="off" onsubmit="..." ...>

This is documented in the Mozilla Developer Network but does unfortunately mean that your HTML won't validate, as discussed in this Stack Overflow question. A small price to pay to fix something that most users will assume is a bug with your website.

Answer 4

This is a FireFox specific issue, and is easy enough to fix.

The browser notices multiple password fields on the form, and assumes you are changing the password, but it can't easily work out which user is logged on. To help it out, populate your users name into the form:

<INPUT TYPE="hidden" NAME="username" VALUE="<?php echo("$name"); ?>">

Something like that will work, so long as you set the variable in php first!

Answer 5

When users of your site log in for the first time, Firefox will ask the user whether they want to save the password or not. If they say yes, the password is saved.

Now, if the user changes their password on your site, Firefox will not know about it immediately. But when the user logs in with the new password, Firefox will recognize that the password you entered is not what it has on file. So it asks if you want to save that password.

Say the user has two accounts on your site now and they change the password to one of them. When they go to log in with that user and Firefox tries to update its records, it may ask "which user are you changing the password for?"

This is client-side functionality and isn't something you can really change. The user has chosen a browser that keeps track of their accounts and it's not something you can prevent.

Answer 6

Users of our site will only see this error if they login with multiple accounts. I would not make a change to your application based on this behavior from firefox.