Login/Register
How do password managers know when I've logged in successfully?
Asked Answered
javascriptgoogle-chromepasswordsbrowser-extensionlastpass
P

6

13

So you know how you are presented with a login screen and then, you fill it out, and then the browser loads the next page? At this point, somehow the password manager bar pops up for LastPass, 1Password, or some other extension, asking if you want to save the password. How do they know you've just logged in successfully??

  • Forms are sometimes submitted and other times the js intercepts the form submit and sends AJAX.
  • The response comes back and may set a new cookie, but sometimes the existing session cookie continues to be used (allows session fixation attacks but some implementations do that).
  • A new location is loaded or reloaded but sometimes the javascript reloads a portion of the document instead

But somehow these password managers DETECT that I've logged into a site successfully! How? Is it because I entered something in a password field, and then some form was submitted or some network request was sent? But how do they know it was successful?

Anyone familiar with these password managers able to give some useful info?

The reason I ask is that I want to develop an extension that detects when you've logged in and somehow tries to extract your user id from the service. It is for the purposes of sharing your user id with friends automatically, and letting them know (with your permission) what sites you are using a lot.

Any hints on techniques to extract the logged-in user's id on the service would also be helpful.

Pardon answered 13/12, 2016 at 17:48 Comment(3)
wow.. a 100 pt bounty all because you couldn't figure out how to work the google... for shameInulin
What's shameful is claiming that you wrestled a bear once in your username. I doubt the bear thought it was wrestling.Pardon
Lmao well played gregory, well playedInulin
T
18

They aren't actually aware of a successful login in most cases. They are aware that a form with a password field was submitted, and the response was a 200OK. This may still be a page displaying an error message.

As for extracting user IDs, I'm pretty sure you mean profile pages or something similar. That will have to be done on a site by site basis as sites will have their own APIs and route structures.

Tanager answered 14/12, 2016 at 19:7 Comment(0)
P
8

As someone already answered this question, I will agree with him.

They aren't actually aware of a successful login in most cases. They are aware that a form with a password field was submitted, and the response was a 200OK. This may still be a page displaying an error message.

Since browsers watch for the request having a password field in it and the response status, But still you can fool the browsers easily. To get to know about the logged in userid you definitely need backend support / api. It depends on the authentication frameworks used in the back-end. But you can get the form fields easily, but extracting / finding userid from the form fields is a quiet difficult task, In most cases, form will be having only two fields there you can manage to get the userid. But in some cases like banking sites they will send few dummy fields fool such tools, Also many fields will be encrypted in the client itself to protect man in the middle attacks. In some cases userid is different from email, So its difficult task.

Pyrosis answered 19/12, 2016 at 13:33 Comment(0)
V
5

They only detect if the form was submitted, and it a code 200 (OK) was returned. They don't necessarily know if you were logged in, but this method works on most websites. They might also detect if a new page was loaded afterwards, since a failed login doesn't usually redirect the user. I have, however, had a prompt to save an incorrect password before.

Volans answered 20/12, 2016 at 4:14 Comment(0)
G
5

They can detect your current tab. and each HTML element of that page. May we they have list of login page case to detect keywords like login,username,forgot password. and check all keyword to identify this is login page.

They just ready page and even they can read your password (yes) .

If you made request from that page & response will be 200ok it means your password is correct.

Grovergroves answered 21/12, 2016 at 18:50 Comment(0)
I
2

Whenever to request to server with username and password the server checks these two entry into their database and the server will found your data it will return response code 200 and using AJAX success call back script will catch the response code and will show successful message.

and also return some sort of information you can store into localStorage of browser or into cookie for further use.

Interferon answered 22/12, 2016 at 11:52 Comment(0)
R
0

I have created a couple of pages static HTML and form: So when form is submitted it goes to second page.

Let's test

<form action="test1.html">    
<input type="text" />
<input type="password" />    
<input type="submit" />    
</form>

</body>

Chrome don't bothered anything happened. While firefox has given a popup to save password even when form is submitted to an error page.

So firefox only looks for a form submitted with a password field and asks for save password popup box.

If want to create an extension which can check wheather user is successfully logged-in and then you want to ask for password remember popup. For that you have to check for server response. I couldn't create a dynamic page to to proof read it with browser example.

Redstone answered 23/12, 2016 at 10:18 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.