Please note the code snippet is just there as an example, there is nothing wrong with the way it works - my question is relating to Chrome's default behaviour of prompting the user to remember their sign-in details, which I want to happen when the password is correct, but not to happen when the password is wrong.
I have been looking around, and come across other articles, but they aren't specifically for my issue and cannot be related to it.
The backend code handling a form submission essentially goes like this (cut down because the code is not actually the problem here)
if(password_verify($password,$dbpassword)){
//Task: Please DO prompt me here chrome, this is correct
header('Location: /account');
exit();
}
setcookie('error','Your password is incorrect',time() 5,'/','',true);
//Task: Please DON'T prompt me here chrome, this is the wrong password!
header('Location: /log-in');
exit();
The log in page then reads the set cookie and displays the error, prompting the user to make another attempt.
The problem is not related to my code. The code is fine.
Chrome takes the header('Location:') to mean that login was successful, thus prompting the user to save these details (annoying). I was wondering if anyone knows how to basically tell the browser it was a failed attempt?
Untested, but I imagine the same prompt would occur on other browsers that offer the same user/password storage... So an all-browser solution would be amazing if anyone has... I'm sure it is a simple one liner to fix this, but I've been researching for over an hour with no success
My code so far performs fine like this:
- Cookie set with error message ✓
- Header redirect back to login page ✓
- Cookie read & error message displayed ✓
- Cookie removed ✓
- Google shouldn't ask to remember because it was wrong ❌
CodePudding user response:
You could try telling the browser that the user is not authenticated yet, by setting the status code 401 (Unauthorized):
http_response_code(401)
However, you should be aware that the Location header should only be used with redirect status codes (3xx). Therefore, to prevent unexpected behavior consider either directly rendering the login page, or use a different method of redirection. See also this answer.