There are three totally different systems on the World Wide Web for handling logins, and the methods for saving and managing passwords are completely different for each. The two main methods are HTTP authentication (pretty rare), and Web-based authentication (standard practice). A few sites also use cookies stored on your machine to remember your log-in and password or. These three methods are all explained in the next section.

Many iCab users see the Passwords section of the preferences (sometimes referred to as the "password manager") and incorrectly assume that iCab uses this for all sites. This is unfortunately not true, as iCab only uses its password manager, or the Keychain if that is what you prefer, for sites that use HTTP authentication, of which there are relatively few. For all other sites, a different part of iCab needs to be used.

Further, it should be noted that there is no standard method for logging in on the Web, and every Web site does it their own way. Therefore, it will always depend on an individual site's implementation of logging in as to how it works and thus how to configure your browser for it.

Web-based authentication

This is the type of log-in with which most people will be familiar, and is where the username and password are part of the page itself, like any other Web-based form. You fill in the username (or e-mail address) and password fields and click the Log In button. Most browsers will ask you on the first instance of logging into each site, whether they should save the password. If you select yes, it gets filled in for you next time you visit.

iCab does not have such an automatic feature; instead, you have to take these two steps manually. While a bit tedious, it is very simple. When you are about to log-in, use View > Save Forms to commit the username and password to iCab's settings. These will be saved only for the current page, not for the current site. Saving the form details for mysite/login.php will not make them accessible to a log-back-in form on logout.php or any other location of a log-in page! Do bear this in mind if you log in from several URLs.

Finally, to recall the saved log-in, go to your log-in page and select View > Fill Out Forms, or press opt-cmd-F. This will restore the details to the page whereupon you can proceed to log in. Do bear in mind that because this process does not involve the Keychain (which can be locked or set to time-out), nothing now prevents another person from getting into your private log-ins.

Please note that the above only applies to iCab 3; there was no Forms Manager in iCab 2 and earlier and log-ins simply had to be memorised and re-typed manually.

HTTP authentication

A rare few sites use HTTP authentication, but they are definitely out there. You can recognise these by the dialog box that iCab presents when you visit them:

The username and password here can indeed be saved for you by iCab, either into iCab's own settings, or the Keychain, depending on which is selected in the Passwords setttings. You can play with an example such site here:

http://telcontar.net/store/hosted/authtest/

Username is authme, password is 12345. You will note that if you quit iCab, lock the keychain, reload iCab, and ask for the page again, then depending on your cache settings, the page may possibly come straight back up without requiring Keychain access. This may be considered a security hole in iCab. The security conscious in all cases should set the browser cache to clear on quit and keep iCab shut down.

Cookie-based log-ins

Some sites, especially those with a "remember me" link, store a cookie or two on your computer so that your identity can be remembered. These should be straightforward but there are several points to note, most of which can be checked and amended in the Cookie settings and the Filter Manager.

1. The cookies must be accepted for that site to begin with.
2. The cookies must be able to be transmitted back to the site.
3. The cookies must be saved to disc on quit.
4. JavaScript may need to be turned on to read and write cookies

The third item may pose an unexpected problem if you don't know that iCab only saves cookies when it quits. If iCab crashes, changes to cookies are all lost! If you want to make sure your cookies are safe, manually close iCab and re-open it. As far as JavaScript is concerned, for some sites, JavaScript is required to be enabled and, in the JavaScript filters in the Preferences, set to be allowed to read and write cookies.

In more detail...

The following steps will help you debug cookie-based log-ins if you believe that cookies are being saved for the site in question:

Quit iCab and re-launch it. Check in the Cookie Manager (Tools > Cookie Manager) to see if the cookies for the site are there. If so, try deleting them and then log in again, to re-create again. If there still aren't any cookies saved for those sites, then for some reason iCab isn't storing them. In that case, select Cookie Preferences from the Cookie Manager to review your cookie settings to make sure that cookies are being saved.

We are assuming here that you have not set up cookie filtering using the Filter Manager as this adds a level of complexity. If you suspect this to be the case, try logging into the site with the Filter Manager turned off (untick View > Filter Manager Active) and try again.

If you don't want to save all cookies

Sander Tekelenburg lists the following options for saving log-in cookies, based on the Cookie settings in iCab in the preferences (the pop-up menu labelled "General setting"):

1. Always accept (and automatically store) cookies: this is the default dumb browser behaviour that one wouldn't expect an iCab user to want)
2. Never accept cookies: you can use this to and have option [1] on once when you log in to the site, then immediately switch it to accept, expire at end of session (meaning the cookies will be deleted when you quit iCab) and edit the specific cookie(s) for that site to be kept; or
3. Have iCab set to accept all cookies, but have them expire upon ending the session (upon quit) and make an entry in the Filter Manager to have iCab make an exception (accepting and keeping cookies) for that particular site

You may need to in addition experiment, per site, with the option in iCab's JavaScript prefs to have JavaScript be (dis)allowed to create/read cookies.

Note that option [2] is the most restrictive/secure, as option [3] would have iCab accept and store all cookies from the site whereas you may in fact only want to allow a login cookie. But it'll probably depend per site how they bake their cookies.

-- DanielBeardsmore - 19 Apr 2006 Based on work by Sander Tekelenburg and Arne Johannessen