//online.citi.com/US/login.do has hidden user ID panel

Issue #14331122 • Assigned to Scott L.

Details

Author
Richard S.
Created
Oct 21, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
16.16299
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

https://online.citi.com/US/login.do has a sign in panel in the upper right for which the user ID field is hidden. It is hidden only when there is a saved username and password. If I open the page in an InPrivate window, both user ID and password fields are displayed.

The HTML for the user ID field is the following with angle brackets replaced with braces. Note that the saved username value is not present.

{input name="username" class="form-control userMask" id="username" aria-describedby="usernameLabel" style="display: none;" type="text" placeholder="User ID" autocomplete="off"}

The password field is functional and does have the saved password. It’s possible to use the F12 tools to remove the style attribute to sign in after typing the user ID.

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Steven K.”

  • Hi Richard,

    Being able to do this depends on how the site has been coded.  My guess is that this could work either by changing the hidden attribute or modifying the username.  If the state of your connection to the server is tracked, the server could detect the user is changing and force a new login from scratch.

    Also, if you clear your cookies that login screen should similar to what you saw in the private browsing session.

    Steve

  • If I clear everything except form data and passwords, which I did, the behavior is the same. One less obvious feature of InPrivate is that password autofill is available but not performed by default. It is that that is responsible for the behavior difference.

  • It manifests on Windows 10 Mobile (RS2) as well. I’ll try to attach screenshot.

  • You need to clear everything and especially those two fields.  I am not getting the same behavior.  I have attached what I get whether I have save my username checked or not.  I have attached the login screen and the login screen showing the HTML you mentioned.  As far as I could see the HTML is matching.  If you read the comments, it mentioned about conditional behavior based on the cookie contents.

    I recommend clearing everything just in case the data in the cookie is not proper and is confusing the page.  It will get reset immediately after logging in again.

    Can you give more details on what you are seeing the InPrivate session?  Are you seeing saved username’s or password’s?

    Let me know,

    Steve

  • I don’t see your attachments. I may not have been clear. When I mention the saved username and password I mean saved in the Edge password store not in cookies. I have all cookies, storage, and everything else cleared. Beyond having Edge configured to clear everything except form fields and passwords, I run the following first to clear everything that Edge doesn’t clear and more

    @setlocal
    cd %USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
    for /f %%i in (‘dir /s /ad /b cache default CryptnetUrlCache f12 cookies’) do rd /s /q “%%i”

    An InPrivate window displays both the user ID and password fields. This is to show that the issue is not related to cookies, none of which are set in either scenario. The issue is related to Edge automatically filling the user ID and password fields.

  • Hi Richard,

    I apologize, I forgot to attach the screenshots.  They are attached now.

    Are you still seeing this issue?  I have read you comments and will look at this again.  Sorry for the extended delay.

  • It also appears that the login webpage has changed since you originally submitted this ticket 6 months ago.  I see options now on the website to switch user ID’s.

  • I have a username and password saved. The site now uses autocomplete=off but this only prevents new passwords from being saved while pre-existing saved values are honored. When I visit this page on a PC with a saved password, the username control is missing. When I visit this page on a PC without a saved password or with an InPrivate window, the username control is displayed. If you have a way to inject a username and password into Edge’s password store, try with that. I’ll attach a screenshot of what I see with F12.

  • That is helpful.  Thank you for the quick response.  I will try with a saved password.  I will see about injecting one into my password store.

    Will you provide the extended version of Windows 10 you are using now?  Win + S and type “winver” and hit enter.

  • Added 2018-04-18 (2).png. I am now using RS4 17134.1.

  • Thank you for the Windows version.

    When you are in an ‘inPrivate’ window on the online.citi.com site.  Is your saved password and login information accessible and useable?  I assume the feature is enabled for your ‘inPrivate’ browsing as it is enabled by default if the non ‘inPrivate’ browser setting is enabled.

  • on this site, saved password is not available in InPrivate. on other sites, the passwords are available in InPrivate. I:ve not experimented. I suspect the InPrivate issue is with autocomplete=off. InPrivate is a bit of a red herring. I only intended to point out that the problem is a consequence of Edge’s automatic field fill.

  • Microsoft Edge Team

    Changed Assigned To to “Scott L.”

    Changed Assigned To to “Scott L.”

You need to sign in to your Microsoft account to add a comment.

Sign in