Auto sign-in loop
Reported by
lleonard...@gmail.com,
Nov 25 2016
|
||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36 Example URL: I'm accessing NYTimes, but in every similar website with 2+ choices of sign-in on the same page Steps to reproduce the problem: 1. Navigate to a webpage like https://myaccount.nytimes.com/auth/login 2. Have a different (old) password saved in Chrome and try to log in using either facebook or Google or a new password 3. Instead of asking to update the password/ let you log in, Chrome will go back to the login page and try to log in using the auto log-in feature. What is the expected behavior? Auto log-in should ask to update the password if password used is different from password saved and log-in is accepted Auto log-in should not be called by Chrome is method of log-in is using Facebook log-in or Google log-in. Auto log-in should have an option not be called again on a webpage (as the "save password" function) What went wrong? Auto log-in creates a loop which doesn't allow the user to log-in due to old/wrong password. Does it occur on multiple sites: N/A Is it a problem with a plugin? No Did this work before? N/A Does this work in other browsers? Yes Chrome version: 54.0.2840.98 Channel: stable OS Version: OS X 10.12.1 Flash Version: Shockwave Flash 23.0 r0
,
Nov 29 2016
Mac triage: over to vabr@ for investigation/routing. I have not attempted to reproduce this locally yet.
,
Nov 30 2016
Hi Vasilii, This looks like an autosignin issue affecting nytimes.com. Do you think you could have a look?
,
Dec 1 2016
This is a bug in the site's implementation. They do not handle the error case at all. The proper flow is - Try to auto sign-in the user. - If the credential is correct -> sign in and save the credential via the API. - If the credential is incorrect -> render the password form and don't call the API again. I think they already handle the case when user clicks "Cancel" in the account chooser. The same code path should be followed for the obsolete password case.
,
Dec 14 2016
,
Nov 29
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ajha@chromium.org
, Nov 29 2016Labels: M-54