Hi, I am working for a webside which currently offers a portal page with ssl and non-ssl version having a login form posting to a ssl-only login server and providing the authenticated content ssl-only. Still most of our users use the non-ssl version of that page.
In order to increase to level of security offered for our users, we are thinking on switching the portal page to ssl-only using a redirect in the first place (yes, hsts might follow). After testing this, we realized that many of our customers stored their credential in the browser and by switching from non-ssl to ssl, they lost the possibility to use them also on the ssl-version of the portal page. It looks like Mozilla Firefox being the only browser to behave like this and not using the credentials stored for a domain when using the non-ssl version also for the ssl version. This leads to many support issues helping the customers either to reveal their password for themselves by directing them to the settings or helping them to reset and change their passwords. As blaming login forms on non-ssl pages even more starting with Firefox version 44, more provider of pages like us will probably change the behaviour, but will find their users in that trap of not being helped by the browser. This even might prevent provider with non-ssl login pages to switch being afraid of the support volumnes they are expected to handle. Are there any chances to help the user using the stored credentials on the serverside? Would be happy to get some help on that issue from the community. Best regards, Thomas Schäfer _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
