//online.citi.com/US/login.do has hidden user ID panel

Issue #14331122 • Assigned to Steven K.

Details

Author
Richard S.
Created
Oct 21, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
16.16299
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

https://online.citi.com/US/login.do has a sign in panel in the upper right for which the user ID field is hidden. It is hidden only when there is a saved username and password. If I open the page in an InPrivate window, both user ID and password fields are displayed.

The HTML for the user ID field is the following with angle brackets replaced with braces. Note that the saved username value is not present.

{input name="username" class="form-control userMask" id="username" aria-describedby="usernameLabel" style="display: none;" type="text" placeholder="User ID" autocomplete="off"}

The password field is functional and does have the saved password. It’s possible to use the F12 tools to remove the style attribute to sign in after typing the user ID.

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Steven K.”

  • Hi Richard,

    Being able to do this depends on how the site has been coded.  My guess is that this could work either by changing the hidden attribute or modifying the username.  If the state of your connection to the server is tracked, the server could detect the user is changing and force a new login from scratch.

    Also, if you clear your cookies that login screen should similar to what you saw in the private browsing session.

    Steve

  • If I clear everything except form data and passwords, which I did, the behavior is the same. One less obvious feature of InPrivate is that password autofill is available but not performed by default. It is that that is responsible for the behavior difference.

  • It manifests on Windows 10 Mobile (RS2) as well. I’ll try to attach screenshot.

  • You need to clear everything and especially those two fields.  I am not getting the same behavior.  I have attached what I get whether I have save my username checked or not.  I have attached the login screen and the login screen showing the HTML you mentioned.  As far as I could see the HTML is matching.  If you read the comments, it mentioned about conditional behavior based on the cookie contents.

    I recommend clearing everything just in case the data in the cookie is not proper and is confusing the page.  It will get reset immediately after logging in again.

    Can you give more details on what you are seeing the InPrivate session?  Are you seeing saved username’s or password’s?

    Let me know,

    Steve

  • I don’t see your attachments. I may not have been clear. When I mention the saved username and password I mean saved in the Edge password store not in cookies. I have all cookies, storage, and everything else cleared. Beyond having Edge configured to clear everything except form fields and passwords, I run the following first to clear everything that Edge doesn’t clear and more

    @setlocal
    cd %USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
    for /f %%i in (‘dir /s /ad /b cache default CryptnetUrlCache f12 cookies’) do rd /s /q “%%i”

    An InPrivate window displays both the user ID and password fields. This is to show that the issue is not related to cookies, none of which are set in either scenario. The issue is related to Edge automatically filling the user ID and password fields.

You need to sign in to your Microsoft account to add a comment.

Sign in