0

Please note the code snippet is just there as an example, there is nothing wrong with the way it works - my question is relating to Chrome's default behaviour of prompting the user to remember their sign-in details, which I want to happen when the password is correct, but not to happen when the password is wrong.

I have been looking around, and come across other articles, but they aren't specifically for my issue and cannot be related to it.

The backend code handling a form submission essentially goes like this (cut down because the code is not actually the problem here)

if(password_verify($password,$dbpassword)){
   //Task: Please DO prompt me here chrome, this is correct
   header('Location: /account');
   exit();
}
setcookie('error','Your password is incorrect',time()+5,'/','',true);
//Task: Please DON'T prompt me here chrome, this is the wrong password!
header('Location: /log-in');
exit();

The log in page then reads the set cookie and displays the error, prompting the user to make another attempt.

The problem is not related to my code. The code is fine.

Chrome takes the header('Location:') to mean that login was successful, thus prompting the user to save these details (annoying). I was wondering if anyone knows how to basically tell the browser it was a failed attempt?

Untested, but I imagine the same prompt would occur on other browsers that offer the same user/password storage... So an all-browser solution would be amazing if anyone has... I'm sure it is a simple one liner to fix this, but I've been researching for over an hour with no success

My code so far performs fine like this:

  1. Cookie set with error message ✓
  2. Header redirect back to login page ✓
  3. Cookie read & error message displayed ✓
  4. Cookie removed ✓
  5. Google shouldn't ask to remember because it was wrong ❌
SomethingSomethingSo
  • 3
  • 2
  • you should exit after the header (first one), then the code below it wont fire – Lawrence Cherone May 29 '22 at 12:11
  • Sorry, I had actually omitted that in my "barebones" example which I have now updated, but it isn't actually the code I have an issue with - that is merely to show what I am doing... I am looking for a way to control Chrome's behaviour in regards to the password prompt – SomethingSomethingSo May 29 '22 at 12:49
  • the reason chrome asks to save is that it thinks username/password is correct.. rather than redirecting send a 401 header, why are you using cookies to send responses? – Lawrence Cherone May 29 '22 at 12:53
  • The idea is that: Cookie is set >> Header back to login page >> Error displays using the cookie value (sanitized of course) >> Cookie removed... It doesn't have to be a cookie, I could append the URL but it would give the same result, the issue is the page should revert to the login page, and display an error which it does, but Chrome asks to remember the erroneous password – SomethingSomethingSo May 29 '22 at 12:58

1 Answers1

0

You could try telling the browser that the user is not authenticated yet, by setting the status code 401 (Unauthorized):

http_response_code(401)

However, you should be aware that the Location header should only be used with redirect status codes (3xx). Therefore, to prevent unexpected behavior consider either directly rendering the login page, or use a different method of redirection. See also this answer.

Wouter
  • 534
  • 3
  • 14
  • 22