Some folks have reported that Internet Explorer doesn’t remember their login details. This is a tricky problem to troubleshoot because there are a number of different problems which get lumped together under this description, and there are a number of different causes for each problem.
There are two types of commonly reported problems:
- Internet Explorer’s Forms-Based Password XXXXX doesn’t work?
- Clicking “Remember me” on websites doesn’t seem to work?
Troubleshooting IE’s Forms-Based Password XXXXX
Internet Explorer actually has two password XXXXX: the WinINET-provided password XXXXX that remembers HTTP authentication credentials, and an IE-specific password XXXXX that remembers passwords typed into web forms. For the purposes of this question, we’re only going to be talking about the second one.
The Forms-Based Password XXXXX prompts you to save your password XXXXX it recognizes that you’ve filled in a login form. The prompt looks like this:
If you DON’T see this prompt, there are several possibilities:
- You have disabled autocomplete in your browser by checking the “Don’t offer to remember any more passwords” box.
- The page has explicitly disabled autocomplete by using the AUTOCOMPLETE=OFF attribute.
- The HTTPS-delivered page implicitly disabled autocomplete by returning a HTTP directive forbidding caching.
- Internet Explorer didn’t recognize that the page had a login form.
You can resolve problem #1 in IE by clicking Tools > Internet Options > Content > Autocomplete > Settings and checking the User names and passwords on forms and Ask me before saving passwords checkboxes.
Issues #2 to #5 are under the control of the website, although most users won't know that. There is no way for the user to resolve these problems short of asking the website to update their page.
Case #XXXXX is an interesting one. One possibility is that IE doesn't "see" the login form at all, for instance, because it was written using Adobe Flash, Silverlight, Java, etc. Another possibility is that IE doesn't "recognize" the form as a login form, because it contains more inputs than expected. For instance, Facebook uses a fancy login form that shows the cue text "Password" in a INPUT TYPE=TEXT control until the user puts their cursor in the box. When they do, Facebook uses CSS to hide the password_placeholder box and replaces it with a INPUT TYPE=PASSWORD XXXXX into which the user types their password. Unfortunately, while it's hidden by CSS, the placeholder is still a part of the form, and it's submitted with the form. Because of this extraneous INPUT TYPE=TEXT control, IE assumes that this isn't a login form and does not offer to save the password. Facebook fixed this problem in October 2009.
If you DO see this prompt, but the password XXXXX’t seem to autofill, there are several possibilities:
- The website’s login page uses paths that contain unique or changing tokens
- The websites login page deliberately randomizes the name of the form fields
- Your stored passwords are being cleared between visits
The Forms-Based password XXXXX is designed to recognize when you’re revisiting a login form for which you’ve previously stored a password. When you enter a username for which you’ve stored a password, the password XXXXX automatically be filled in the appropriate box.
A key point here is that IE must recognize that this is a form for which you’ve stored a password. IE’s password XXXXX takes into account the URL (specifically the hostname + folder path) and the name of the form fields. If the website changes these values (for instance, it stores a session identifier as a “virtual” folder in the URL), then IE will not recognize a revisit the login form and will not fill the password. Similarly, if the website changes the names of the HTML input controls, IE will not fill the password. I have encountered several sites which suffer from one or both of these problems.
Lastly, it’s possible that your stored passwords are simply being deleted. IE includes a number of features that allow you to delete your browsing history, including your stored passwords.
Make sure that you have the checkbox Delete browsing history on exit checkbox unchecked inside Tools > Internet Options > General. Also, if you use the Delete Browser History command, you should uncheck the Passwords checkbox or you will lose your stored passwords.
Troubleshooting Login Cookies
Other users have encountered problems where a website offers a “Remember me” checkbox but that checkbox doesn’t seem to work. There are a number of possible reasons for this:
- You checked “Remember me” while in IE’s InPrivate browsing mode
- Your cookie settings restrict the server’s ability to set persistent cookies
- Your browser zones configuration is incompatible
- Your browser isn’t patched
- The website’s security policy requires an occasional login
- The website’s cookies are being cleared
Problem #1 is simple enough-- “Remember me” features typically require the server to set a persistent HTTP cookie to store your authentication information. When you are browsing in IE8’s InPrivate Browsing mode, all persistent cookies are automatically downgraded to session cookies that expire on browser exit. Also, when the browser starts an InPrivate Browsing session, the cookie jar starts out empty for that session. So, you should not expect “Remember me” to work if you either are in an InPrivate session, or checked the box in such a session.
Problem #2 occurs if you’ve adjusted your cookie settings inside Tools / Internet Options / Privacy. If you’ve changed these settings from the defaults (or if the site is constructed in an unconventional way) the site may not be permitted to save persistent cookies at all. When this is the case, the site will not be able to set persistent cookies and hence the “Remember me” feature will not work.
Problem #3 occurs on Windows Vista and above, when you have configured one subdomain to run outside of Protected Mode (e.g. put it in the Trusted Zone) and another related subdomain to run inside of Protected Mode (e.g. left it in the Internet Zone). This isn’t terribly common, but might occur if you, for instance, put login.live.com in the Trusted Zone but didn’t put mail.live.com in the Trusted Zone. The root cause of this obscure problem is that Protected Mode and non-Protected Mode do not share cookies, and hence a cookie set by a site outside of Protected Mode will not be visible to a site running inside Protected Mode, and vice versa.
In some cases, this can lead to even worse problems. For instance, consider the case where you put www.google.com in the Trusted Zone and visit www.gmail.com. If you then try to log into GMail, you will be redirected endlessly, as the login host redirects you to the application host (since the login page has the cookie and believes you're logged in), and the application bounces you back to the login page (because the application doesn't see your login cookie). Servers can prevent such loops by passing querystring parameters when redirecting so the destination knows not to immediately redirect back in a loop.
Problem #4 relates to obscure cookie-related issues in IE7 which were fixed in subsequent patches. Ensure you have the latest updates for your browser using WindowsUpdate.
Problem #5 is that some sites (particularly secure sites) will require that you periodically re-login to help limit the risk of misuse of your credentials. Sometimes, sites will track which IP address you use to log in, and if your IP address changes (e.g. you move from one network to another with your laptop) your cached login cookies will be considered invalid.
These cases are tricky to troubleshoot because there’s no indication to the client (unless the server explicitly provides an indication) that you sent a legitimate stored cookie but security policy requires periodic re-login. You can usually only determine that this is the problem by using a network monitor. Unfortunately, even that form of troubleshooting is difficult because unless you happened to have Fiddler running at the time of the prompt, it’s usually too late (because the login form will often itself wipe your “outdated” cookie).
Problem #6 is the most common problem—the website’s cookies are simply being cleared. As noted above, there are a number of ways that this can happen: you may have IE configured to delete cookies on exit (see the checkbox Delete browsing history on exit checkbox unchecked inside Tools > Internet Options > General). Or, perhaps you’ve deleted browser history manually using the Delete Browser History command. It’s also possible that your cookies are being cleared by another piece of software, for instance, security or privacy utilities.
Please let me know if there is anything else I can help you with.
Thank you for your question. If my answer helped at all, please accept. Positive feedback and/or a bonus is always greatly appreciated!