I found a couple of other posts about this, but they are somewhat old, and had no answers, so I figured I'd ask again.
It appears that when you use the Changepassword control on a page, and then browse to the page in FireFox, something odd happens. After filling out the form with the old and new passwords and clicking the submit button, you get a modal dialog asking you to
confirm the user for which you are changing the password. This is of course a security risk since the dialog shows a list of all usernames for the site. The other thing is, even though it shows the dialog, it seems to have no purpose because no matter which
user you select, or which button you press (OK, or Cancel), the operation continues and the password is changed for the current logged in user.
In my case, I've got a very basic setup. I'm using forms authentication with the default membership provider (using SQL Express 2005), and pretty much all settings on default .
Does anyone know why this happens in firefox, or more importantly, how to fix it (that is, so that the modal dialog doesn't show up)?
Otherwise, I guess I'll have to implement my own solution for changing the password.
The Wheel is turning and you can't slow it down, can't let go and you can't hold on. You Can't go back, and you can't stand still, If the thunder don't get ya then the lightning will!
Well, I finally figured this out. I'll post what happens here for the others who have had this problem.
It has nothing to do with .NET, and everything to do with firefox. In firefox, when you login to a web site, you are asked if you want firefox to remember your password (similar to IE). If you choose yes, then firefox stores your login information for the
site. If you log into a single site with multiple usernames and save their passwords, firefox remembers them. Then when you go to a page that allows you to change your password, when you submit the form, Firefox tries to be smart. It determines, hey, this
guy is changing one of the passwords I have saved for this site. Firefox then prompts you with a list of all it's saved usernames for this site and asks you for which of those users you are updating your password. It does this so that it can keep it's own
list of usernames and passwords up to date. So if you go into the options in firefox and find the list of passwords it has saved, and remove all the usernames (you can leave 1 if you want) for the web site, then you won't get that dialog prompt when using
the changepassword control.
Strangely enough, I finally figured this out when I gave up on the changepassword control and tried to implement my own custom password changing page, and was still getting the prompt. Surely it's not tied to the MembershipUser.ChangePassword() method? And,
one of the users in the prompt list doesn't even exist on my site anymore! I Finally I found the answer. I don't know what method firefox uses to detect that you are changing a password. Could be page name (my page is ChangePassword.aspx). Could be the form
fields on the page. Could be something else. I didn't try to figure that out. I just removed all the other usernames from firefox's saved usernames list for my site, and that gets rid of the problem.
Anyway, that's why you get that prompt in firefox. It has nothing to do with .NET. Just delete the extra user firefox has saved in it's password list and the prompt will go away.
The Wheel is turning and you can't slow it down, can't let go and you can't hold on. You Can't go back, and you can't stand still, If the thunder don't get ya then the lightning will!
wsmonroe
Member
132 Points
56 Posts
Changepassword Control Prompts for user selection
Aug 29, 2006 02:14 PM|LINK
Hi all,
I found a couple of other posts about this, but they are somewhat old, and had no answers, so I figured I'd ask again.
It appears that when you use the Changepassword control on a page, and then browse to the page in FireFox, something odd happens. After filling out the form with the old and new passwords and clicking the submit button, you get a modal dialog asking you to confirm the user for which you are changing the password. This is of course a security risk since the dialog shows a list of all usernames for the site. The other thing is, even though it shows the dialog, it seems to have no purpose because no matter which user you select, or which button you press (OK, or Cancel), the operation continues and the password is changed for the current logged in user.
In my case, I've got a very basic setup. I'm using forms authentication with the default membership provider (using SQL Express 2005), and pretty much all settings on default .
Does anyone know why this happens in firefox, or more importantly, how to fix it (that is, so that the modal dialog doesn't show up)?
Otherwise, I guess I'll have to implement my own solution for changing the password.
wsmonroe
Member
132 Points
56 Posts
Re: Changepassword Control Prompts for user selection
Aug 29, 2006 04:50 PM|LINK
Well, I finally figured this out. I'll post what happens here for the others who have had this problem.
It has nothing to do with .NET, and everything to do with firefox. In firefox, when you login to a web site, you are asked if you want firefox to remember your password (similar to IE). If you choose yes, then firefox stores your login information for the site. If you log into a single site with multiple usernames and save their passwords, firefox remembers them. Then when you go to a page that allows you to change your password, when you submit the form, Firefox tries to be smart. It determines, hey, this guy is changing one of the passwords I have saved for this site. Firefox then prompts you with a list of all it's saved usernames for this site and asks you for which of those users you are updating your password. It does this so that it can keep it's own list of usernames and passwords up to date. So if you go into the options in firefox and find the list of passwords it has saved, and remove all the usernames (you can leave 1 if you want) for the web site, then you won't get that dialog prompt when using the changepassword control.
Strangely enough, I finally figured this out when I gave up on the changepassword control and tried to implement my own custom password changing page, and was still getting the prompt. Surely it's not tied to the MembershipUser.ChangePassword() method? And, one of the users in the prompt list doesn't even exist on my site anymore! I Finally I found the answer. I don't know what method firefox uses to detect that you are changing a password. Could be page name (my page is ChangePassword.aspx). Could be the form fields on the page. Could be something else. I didn't try to figure that out. I just removed all the other usernames from firefox's saved usernames list for my site, and that gets rid of the problem.
Anyway, that's why you get that prompt in firefox. It has nothing to do with .NET. Just delete the extra user firefox has saved in it's password list and the prompt will go away.