Thanks a lot, Martin. Much nicer login behavior!
On 11/7/2014 8:40 AM, Martin Gojowsky wrote:
I do not think somebody should be forced to manage his passwords and usernames in a way that
somebody else considers to be "more secure". If the developers put effort in preventing
this behaviour, they could have made it configurable. I looked at the source and for me it looks a
little like "Oh, we found a nice login solution. - But password managers do not work any more.
- Well it´s not a bug, it´s a feature." :)
I found a plugable solution for me without touching the original source
(important for me because of the debian package manager). I did four
improvements on my needs. If somebody would like to use one or more of them on
his SOGo instance - feel free to do so.
In /etc/sogo/sogo.conf I added my own javascript file:
SOGoUIAdditionalJSFiles = ( "gojowsky-login-features.js" );
and put this content to
/usr/lib/GNUstep/SOGo/WebServerResources/gojowsky-login-features.js
=============================================================================================
document.observe( 'dom:loaded', function() {
if ( $('connectForm') ) {
// Preselect German Language
$('language').setValue('German');
// We want to hook into login process, so delete SOGos click and
keypress observers
$('submit').stopObserving('click');
$('userName').stopObserving('keydown');
$('password').stopObserving('keydown');
// Instead we start our own login functions
$('submit').observe( 'click', onOurLoginClick );
$('userName').observe( 'keydown', onOurFieldKeyDown );
$('password').observe( 'keydown', onOurFieldKeyDown );
}
});
function onOurLoginClick(event) {
if ( $('userName').value.length > 0 ) {
// Auto Domain Login: If there is no @ in username, we append current
second level domain
var regexIsDomainPresent = /@/;
if ( $('userName').value && ! regexIsDomainPresent.test(
$('userName').value ) ) {
$('userName').value += '@' + document.domain.match(
/([^.]+)\.([^.]+)$/igm )[0];
}
if ( $('password').value.length > 0 ) {
// use Firefox password manager
triggerPasswordManager();
// now SOGo can do what´s necessary to do the real login
onLoginClick();
}
else {
$('password').focus();
}
}
}
function onOurFieldKeyDown(event) {
if ( event.keyCode == Event.KEY_RETURN ) {
// We check existance of username and password in this function, so no
need to do it twice
onOurLoginClick(event);
}
else {
// Let SOGo do the rest (delete error messages and so on)
onFieldKeyDown(event);
}
}
function triggerPasswordManager() {
Event.observe( 'connectForm', 'submit', function(event) {
Event.stop(event);
if ( $('connectFormSubmit') ) {
$('connectFormSubmit').remove();
}
});
$('connectForm').insert({
bottom: new Element('input', {
id: 'connectFormSubmit',
type: 'submit'
}).setStyle({
display: 'none'
})
});
$('connectFormSubmit').click();
}
=============================================================================================
On 07.11.2014 13:06, Cristian Mack wrote:
Yes that is true.
And AFAIK this is intended behaviour, because of the security
implications especially in hostile environments like internet cafes.
Am 2014-11-07 um 11:11 schrieb Martin Gojowsky:
I do not agree that this is the same problem. Perhaps related somehow in the
way that both deals with password managers.
But this bug says that a separate password manager (that recognized the
password or got it manually) can not automatically open the webmail because the
post address is wrong (pointing to an Ajax auth endpoint). I understand and
know what the problem is. But it has nothing to do with my problem.
I am talking about the auto completion feature of Firefox. If it already has the
password, it fills the form absolutely correct. But it does not realize that the form is
submitted so there is no prompt "Safe ths password for mail.example.org?"
On 06.11.2014 18:51, Jens Erat wrote:
Related: http://www.sogo.nu/bugs/view.php?id=2762
On 06.11.2014 18:34, Martin Gojowsky wrote:
I am a friend of Firefox password manager (on secure computers) and I miss it
very much with SOGo webmail.
I did some research and Firefox developers already took much effort to make the
recognization better. E.g. all POST requests with password field is covered.
But function onLoginClick in SOGoRootPage.js builds an URI and does
authentication by Ajax GET.
I can do $('connectForm').submit(); in Firebug console to save the password for
me. Or build another form on the same domain (sogo.example.org/passwordform).
But these are workarounds just for me, no solution for everyone.
Is it possible to trigger Firefox in some other way?
--
[email protected]
https://inverse.ca/sogo/lists
