Using Never URI for Autofill

I am the admin for a web application and the Bitwarden browser extension keeps autofilling my login information on other users’ profile configuration screens. I have the Bitwarden entry configured with a URI set to “Never” and the full address of the user administration page where this happens (e.g., Asbury Park Press NJ | Jersey Shore & New Jersey News). However, my credentials still get autofilled there. How do I stop this from happening?

Browser: Chrome 104.0
OS: Windows 10

Hey @WildWanderer just to confirm, did you disable Chrome’s ability to manage credentials?

I had not, but I just tried disabling those settings and then visiting the page again and bitwarden is still autofilling there.

This response is not going to solve your problem, but I have a few questions (since no one here will be able to actually reproduce your problem without being able to log in as an admin at APP!).

When you’re on the userdetails.asp page, does your Bitwarden badge (icon) show a count (e.g., 1 or larger)?

Also, for @dwbit: When the matching option is set to Never, what method is actually used to determine if the URI matches (i.e., does it “Never” autofill if the URI match is exact, matches the host, base, etc.?)?

@grb expected behavior:

Selecting Never will prompt Bitwarden to never offer auto-fill for the item.

Yes, it does. It shows “4” and it autofills the one of those four entries for which I have autofill on page load enabled.

But surely not never ever, right? :slight_smile: It should be never for that particular URI.

Just to be clear, I have the specific URL configured with Never and then the entire entry set to autofill on page load (my default in Options is autofill enabled).
image

Auto-fill on page load is currently experimental (WIP). When disabled, and you cycle through logins using the keyboard shortcuts, does it avoid the one set to ‘never’?

Ctrl/CMD + Shift + L Auto-fill, press again to cycle through matching logins

If so, I can follow up with the team on auto-fill on page load when set to ‘never’.

In this context, does “item” refer to the Login item, or to the specified URI? For example, if I configure two different URIs for a Login item, with the first URI’s matching option set to Base domain and the second URI’s matching option set to Never, are you saying that the second item will override the first, preventing any URI from ever matching, as long as a single URI has been set to “Never”?

I disabled autofill for this entry and confirmed it is disabled for the other three, as well. I loaded the page in question and my credentials were not autofilled. So far, so good.

When I cycle through the logins using Ctrl/CMD + Shift + L, all four logins get filled in turn. So it does seem something is broken with the URI set to Never.

I will say that I think this was working correctly for some time and that the issue appeared within the last couple of weeks - though I’m not certain.

Can this be a solution/work-around for you? When you need to log in as admin, you can use the keyboard shortcut, and you presumably would not apply the autofill keyboard shortcut while on on other users’ profile configuration screens.

Can you check to see if you see the same behavior with a different browser and fresh extension install?

Fresh extension install in Firefox 104:
With the same settings (autofill enabled in Options, preferred login set to autofill, other three logins set to not autofill, and URI on preferred login for the user admin page set to Never), I have the same experience as in Chrome: my preferred login autofills on the user admin page.

Yes, I’ll use this workaround in the meantime. :+1:

@dwbit I think the documentation is wrong or misleading, as the word “item” evidently refers to the URI itself, not to the Login item within which the URI has been saved. Which brings me back to my original question: in order to determine whether a URI that has been set to “Never” match should be excluded from autofill, does the app require the URI to match exactly, or only to the base domain, to the host, or to the start of the URI for the current page in the browser?

1 Like

In the screenshot, the URL is for the host us2.concursolutions.com, but in your original post, you said the problem occured at https://us.app.com/admin/userdetails.asp. Which of these two URLs actually shows in the address bar when you are on a user profile configuration screen?

None of those. Never just means ignore the entered URI and don’t try to match it. And it doesn’t affect any other URIs in the item.

My OP was just generalizing. The actual URL matches the screenshot.

@WildWanderer - Your screenshot shows that you have multiple URIs entered in the login item that is autofilling. To troubleshoot which one is causing the autofill, set the match option for ALL of them to Never, and then it should no longer autofill. One by one, set each URI back to the original matching rule to figure out which URI is causing the match and autofill.

What is the point of Never for the URI then? Just to store a URL that will never be used in any fashion except manually referencing/storing it?