Sorry it's really starting to annoy me that I always have to enter my OTN username and password between every browser session. Why can it not use a cockie or whatever to keep me logged in at least for the day. Or better, let me save the password in my keychain so that I only have to press the "Sign In" button when the login appears.
Firefox has a built in "save password" option, which will supply username and password when accessing a particular web page. It works with sites like ebay and many other common sites, but for some reason it does not work with OTN. When accessing OTN it never prompts me if I want Firefox to remember the password. I'm not using private browsing and have no site in the save password exception list.
I found an add-on named "Saved Password Editor". It allows to manually add username and password entries associated with a web site. But since almost any software calls home today I rather not use any 3rd party tool to deal with security sensitive information. I checked the tool and it did not call home, but who knows what happens later.
Any other ideas?
Maybe the problem is simply because the login uses "ossusername" instead of "username" in the login form.
The reason for the browser not remembering username and password is in the form HTML used for authentication.
It specifically prohibits the browser from caching values (and remembering username and password) by disabling autocomplete:
form method="post" action="/oam/server/sso/auth_cred_submit" name="LoginForm" autocomplete="off"
So what is the message? I have no particular objection to any solution that fixes the issue, beside installing 3rd party browser extensions.
Set-Cookie: ORA_UCM_VER=; domain=.oracle.com; expires=Thu, 01-Jan-1970 01:00:00 GMT; path=/
Unfortunately I cannot set my system date prior to 1970 to see what happens, but would the cookie allow me to login without the need to specify my username and password again until the cookie expires? Would that be a feasible option instead of enabling form autocomplete?
Speaking of which, the OTN forum defines "Cache-Control: private, no-cache, no-store, must-revalidate". This setting disables browser caching. I found the browser's back button very useful in the past to be able to get back the content of the forum editor, for instance, when some error occurred submitting the response or when I accidentally opened another web page. This used to work in the previous forum.
The editor's new recovery function so far has been rather confusing or completely useless for me. It does not help after being logged out without notice. It actually just happened and I received an "unexpected error" while posting this response, loosing all text. (Un)fortunately I'm used to either copy and paste the content before submitting or use my own text editor. But cutting and pasting has become a different story now after the forum upgrade with the buggy editor.
Meanwhile I understand that OTN cannot fix the problems with the forum software, but perhaps the login could be improved.
I believe it has been explained when this came up previously that the single sign-on that the OTN forums use is the same single sign-on that controls access to all of Oracle's internal systems where you really want to ensure that people are entering their usernames and passwords every time. Unfortunately, that means that the security requirements are driven by the needs of the most sensitive internal applications. The OTN forums end up basically having to live with the rather over-cautious security settings.
Thanks for the info. That sounds very likely to be reason why the "save password" feature has been disabled. However I think such security concepts are antiquated.
Nobody who implements a certain security concept actually takes the responsibility for security issues, but yet all think it is necessary to patronize people and force them into "their" security system. If I am responsible for data security myself in the end, I rather prefer to have options and take matters in my own hands.
Whether or not a single sign-on is a good security concept is questionable. If someone gets a hold of my SSO login, they have access to everything Oracle, which makes SSO even a bad security concept. On the other hand, most people are silly enough to use the same password for everything anyway. I think it is the later that needs to be addressed and it can be.
All desktop systems worth mentioning and even the browsers provide local password management tools, which make it feasible for a user to provide different passwords, even without having to remember them. Apple, for instance, has been providing a Keychain application for 15 years. Of course this does not necessarily address mobility, but that's up to myself. At least I would have some security options.
Meanwhile I found a solution. I installed a Firefox extension named RememberPass 1.1.2. It installs a file named email@example.com in ~/Library/Application Support/Firfox/Profiles/xxxx.default/extentions (Mac OSX), which is actually a zip file. I unzipped the file and found a Java script named bootstrap.js. I verified it does nothing else than a search and replace of all occurrences of autocomplete from off to on and is not capturing keyboard input or calling home.
Btw, I'm not able to remove the automatic address linking done by the editor of the file mentioned above. It insists that it is an email address.