I do not think somebody should be forced to manage his passwords and usernames
in a way that somebody else considers to be "more secure". If the developers
put effort in preventing this behaviour, they could have made it configurable.
I looked at the source and for me it looks a little like "Oh, we found a nice
login solution. - But password managers do not work any more. - Well it´s not a
bug, it´s a feature." :)
I found a plugable solution for me without touching the original source
(important for me because of the debian package manager). I did four
improvements on my needs. If somebody would like to use one or more of them on
his SOGo instance - feel free to do so.
In /etc/sogo/sogo.conf I added my own javascript file:
SOGoUIAdditionalJSFiles = ( "gojowsky-login-features.js" );
and put this content to
/usr/lib/GNUstep/SOGo/WebServerResources/gojowsky-login-features.js
=============================================================================================
document.observe( 'dom:loaded', function() {
if ( $('connectForm') ) {
// Preselect German Language
$('language').setValue('German');
// We want to hook into login process, so delete SOGos click and
keypress observers
$('submit').stopObserving('click');
$('userName').stopObserving('keydown');
$('password').stopObserving('keydown');
// Instead we start our own login functions
$('submit').observe( 'click', onOurLoginClick );
$('userName').observe( 'keydown', onOurFieldKeyDown );
$('password').observe( 'keydown', onOurFieldKeyDown );
}
});
function onOurLoginClick(event) {
if ( $('userName').value.length > 0 ) {
// Auto Domain Login: If there is no @ in username, we append current
second level domain
var regexIsDomainPresent = /@/;
if ( $('userName').value && ! regexIsDomainPresent.test(
$('userName').value ) ) {
$('userName').value += '@' + document.domain.match(
/([^.]+)\.([^.]+)$/igm )[0];
}
if ( $('password').value.length > 0 ) {
// use Firefox password manager
triggerPasswordManager();
// now SOGo can do what´s necessary to do the real login
onLoginClick();
}
else {
$('password').focus();
}
}
}
function onOurFieldKeyDown(event) {
if ( event.keyCode == Event.KEY_RETURN ) {
// We check existance of username and password in this function, so no
need to do it twice
onOurLoginClick(event);
}
else {
// Let SOGo do the rest (delete error messages and so on)
onFieldKeyDown(event);
}
}
function triggerPasswordManager() {
Event.observe( 'connectForm', 'submit', function(event) {
Event.stop(event);
if ( $('connectFormSubmit') ) {
$('connectFormSubmit').remove();
}
});
$('connectForm').insert({
bottom: new Element('input', {
id: 'connectFormSubmit',
type: 'submit'
}).setStyle({
display: 'none'
})
});
$('connectFormSubmit').click();
}
=============================================================================================
On 07.11.2014 13:06, Cristian Mack wrote:
>Yes that is true.
>And AFAIK this is intended behaviour, because of the security
>implications especially in hostile environments like internet cafes.
>
>Am 2014-11-07 um 11:11 schrieb Martin Gojowsky:
>> I do not agree that this is the same problem. Perhaps related somehow in the
>> way that both deals with password managers.
>> But this bug says that a separate password manager (that recognized the
>> password or got it manually) can not automatically open the webmail because
>> the post address is wrong (pointing to an Ajax auth endpoint). I understand
>> and know what the problem is. But it has nothing to do with my problem.
>> I am talking about the auto completion feature of Firefox. If it already has
>> the password, it fills the form absolutely correct. But it does not realize
>> that the form is submitted so there is no prompt "Safe ths password for
>> mail.example.org?"
>>
>>
>> On 06.11.2014 18:51, Jens Erat wrote:
>>
>>> Related: http://www.sogo.nu/bugs/view.php?id=2762
>>
>>> On 06.11.2014 18:34, Martin Gojowsky wrote:
>>>>
>>>> I am a friend of Firefox password manager (on secure computers) and I miss
>>>> it very much with SOGo webmail.
>>>> I did some research and Firefox developers already took much effort to
>>>> make the recognization better. E.g. all POST requests with password field
>>>> is covered.
>>>> But function onLoginClick in SOGoRootPage.js builds an URI and does
>>>> authentication by Ajax GET.
>>>> I can do $('connectForm').submit(); in Firebug console to save the
>>>> password for me. Or build another form on the same domain
>>>> (sogo.example.org/passwordform). But these are workarounds just for me, no
>>>> solution for everyone.
>>>>
>>>> Is it possible to trigger Firefox in some other way?
>>>>
--
[email protected]
https://inverse.ca/sogo/lists
