url arguments checker

[witte1000]

Hello Brantje & Co,

First of all congratulations with all the work done it's amazing how fast you guy's are going !!! Feature request

We are testing your passman firefox addon witch is an illumination but we found a little small issue. Like you know we are a DBA company with some special needs ;)

The little small issue what we encounter is following (try to explain).

when we go to http://www.site.com/logcontrol/f?p=123 and save the password for this site, then we go to http://www.site.com/logcontrol/f?p=456 witch is a complete different site, then the account of the first site /f?p=123 also appear or

if we go to http://www.site.com/logcontrol/f?p=420 and save the password for this site, going then to http://www.site.com/testapps/f?p=4550 witch are complete different sites then also appear the other account. This can be very annoying specially if you have a bunch of those special sites. So would it be possible that you can add a checkbox where we can add the url arguments string. So it wouldn't change anything (backward compatible) but for us a hole illumination. There is no other password manager we know who has this feature !!! Passman will become the first and best proper password manager ;)

Btw: I'm not able anymore to connect to the mattermost ...

Very much appreciation And thanks in advance,

Kind Regards,

witte

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/48975703-url-arguments-checker?utm_campaign=plugin&utm_content=tracker%2F52236699&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F52236699&utm_medium=issues&utm_source=github).

[brantje]

This is a thing, some want param matching others don't. @dardelet What you think?

[gjgd]

I don't know about this feature, it seems very specific. There is tons of different ways a special site could be defined.

For example you mention that the p GET parameter defines a specific site, but that means that http://www.site.com/logcontrol/f?p=123 and http://www.site.com/testapps/f?p=123 would belong to the same site which I'm guessing is not the case.

[witte1000]

Ok Answer of my Boss,

No, these are different sites (in my case – and in the millions of Oracle Apex applications that have already been developed in the world).

If you want to understand the details (in short):

n All pages of an Oracle Apex application are dynamically generated using code in a database

n Host and port in the url are obvious

n The first part of the url will determine what database you connect to (connection is configured in the http server)

n The argument (f?p=123 in our case) determines what application to generate. In other words, one database can generate many applications

But anyway, the question is the following:

• Now you store the password in combination with http(s)://host:port and if the url in the browser matches http(s)://host:port you propose this password

o So you show this password for http(s)://host:port/abc

o So you show this password for http(s)://host:port/abc/def

o So you show this password for http(s)://host:port/abc/def/g?h=i

o So you DO NOT show the password for http(s)://OTHERHOST:port

• Question: Could you store the password in combination with a longer url, e.g.: http(s)://host:port/abd/def/g=h=i ?

o You should show the password for http(s)://host:port/abc/def/g?h=i

o You SHOULD NOT show this password for http(s)://host:port

o You SHOULD NOT show this password for http(s)://host:port/abc/def/g?h=OTHERVALUE

So in fact it doesn’t matter if the url determines different applications, different databases or whatever. You just do a full (or regexp – would even be better) match of the url in the browser with the url that is stored with the password.

And of course, you could add a switch to manually enable this behavior (and by default, keep the current behavior, so that are no issues with backward compatibility).

I really would appreciate it if you could implement this.

Geert

[animalillo]

I was commenting with @brantje and maybe an strict url matching option could fix your issue. What do you think?

[witte1000]

That would be great, but would it be possible to do it as follows:

• In the vault you store a password, with url http(s)://host:port/abc

• The user requests in his browser: http(s)://host:port/abc/DEF

o à Match detected, password used.

• The user requests in his browser: http(s)://host:port/GHI

o à No match

So if the first part of the browser-url matches the stored value of the url in passman, the password should be shown. That would completely solve my issue. (the reason is that f?p=123 determines the application, but Oracle will in fact append more info, like a page- and sessionid, i.e. the real url will become: f?p=123:: Thanks, Geert

[brantje]

So you mean partial parameter matching, am i right?

[witte1000]

I don’t know what you mean with ‘partial parameter matching’, but let me tell it in another way:

• Consider the URL as a very long string, don’t think about the meaning of ‘:’, ‘//’, ‘?’ or ‘&’.

• Store a regular expression together with the username/password in the vault

• If the url matches with the regular expression, then the username/password applies to this site

o (or in a ‘simple’ version, you could do a simple string comparison instead of regular expression matching)

Is that clear? Geert

[brantje]

It's clear, but it's really an edge case as we didn't hear any other users about this yet. Let's see how many :+1: the issue gets.

[misterbridge]

I think I have kinda the same problem/request. I have one of many exemples in my insurance company, which, on the same site, have 4 sections:

• Classic insurance | https://site.com/insurance
• Health insurance | https://site.com/health
• Life insurance | https://site.com/life
• Bank | https://site.com/bank

Each of which have different accounts.

Same domain, different routes. But all of my stored passwords are retrieved so I have to manually select the right one each time. Annoying :(