About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.

Mozilla Account Manager

For some time now, I've been happily using 1Password to manage all of my online accounts. I really like it and recommend it to all of my friends, but I do have a few reservations:

  • It uses a proprietary format for storing my account information. (Older versions used the Keychain format.)
  • It does not integrate with Mobile Safari or anything that's not a browser (e.g., iTunes). This means browsing on my iPhone or iPad is practically impossible, and my iTunes password has to be easy to type, leaving me vulnerable.
  • There's currently no way for developers to make sure their sites support 1Password. Given the way 1Password works, microformats seem like a possible solution.

Earlier this year, I heard about Account Manager, a new effort from Mozilla that aims to help web sites and users connect in a safe and consistent way. In other words, it can potentially make managing passwords online a lot easier, more consistent, and more secure. Furthermore, because it's being developed as an open standard, widespread support is a possibility.

The spec uses MediaWiki, which does not number sections by default. Because all references within the spec use section numbers, you might want to log in and select "auto-number headings" in your preferences. (You can also refer to the table of contents at the top.)

This weekend, I managed to find some time to explore Account Manager a bit. With the help of Dan Mills, I got it working with Firefox 4. He was also kind enough to provide some preview builds for you to use:

If you want to try it out before I give you a quick tour, install one of the Firefox 4 preview builds linked above, and visit my Account Manager demo.

Implementing Account Manager is pretty straightforward. To keep things simple, I'm only going to show you how to implement login and logout. Think of this as two steps:

  1. Inform the browser whether the user is logged in.
  2. Inform the browser how to log in and log out.

The first step is accomplished via the X-Account-Management-Status header. (This is a response header you can set with the header() function.) Here's an example:

X-Account-Management-Status: active; id="chris"; name="Chris Shiflett"; authmethod="username-password-form"

This header informs the browser that the user is currently logged in as chris. Instead of active (logged in), you may specify none (not logged in) or passive (remember me). The rest of the header is a semicolon-delimited list of attributes, three of which are currently defined: name, id, and authmethod. There are various options for authmethod, but I'm only going to be talking about username-password-form.

Informing the browser how to log in and log out is almost as easy. You indicate these things in an Account Management Control Document (AMCD). You can view my AMCD to get an idea of the format, but because json_encode() doesn't generate the most readable JSON, I'll share the PHP as well:

$json = array(
    'version' => 1,
    'sessionstatus' => array(
        'method' => 'GET',
        'path' => '/lab/account-manager/status'
    'auth-methods' => array(
        'username-password-form' => array (
            'connect' => array(
                'method' => 'POST',
                'path' => '/lab/account-manager/login',
                'params' => array(
                    'username' => 'username',
                    'password' => 'password'
            'disconnect' => array(
                'method' => 'GET',
                'path' => '/lab/account-manager/logout'
echo json_encode($json);

Although it's not indicated in the spec yet, sessionstatus is now required. In a future post, I will discuss this in more detail along with registration and other features.

After you create your own AMCD, specify its location with a Link header:

Link: <http://shiflett.org/lab/account-manager/amcd>; rel="acct-mgmt"

As a reminder, you can try my demo of Account Manager. I encourage you to use something like Live HTTP Headers, so you can examine the HTTP traffic. If you want to implement Account Manager on your own sites, be prepared to make frequent changes.

Here are a few additional things I noticed:

  • Account Manager does not seem to abide by the Cache-Control header correctly, which can make development cumbersome. You must restart Firefox for any AMCD change to take effect. (See my comment below for an alternative solution.)
  • It is not currently possible to protect against CSRF, but there are ongoing discussions about it, so a solution is sure to come in the near future.
  • Logging out currently requires the GET request method. As I've discussed before, POST is more appropriate. Because Account Manager provides a consistent interface, the request method you choose to use has no aesthetic implications, so I hope most people will use POST.

Want to participate in a new browser technology that just might prove to be more important than tabs? Install Firefox 4 (Mac, Linux, Windows), read the spec, try my demo, join the mailing list, and most of all, have fun!

There's a lot I did not cover in this post, but I will be blogging more about Account Manager in the near future. One of the missing topics I'm most interested in exploring is how Account Manager can potentially be supported by apps other than Firefox. It's possible that 1Password could continue to be essential, because it could be the app-neutral data store for all of my account data.

About this post

Mozilla Account Manager was posted on Tue, 17 Aug 2010. If you liked it, follow me on Twitter or share:


1.Chris Shiflett said:

Instead of restarting Firefox every time you change your AMCD, Dan Mills suggests pasting this into the error console to clear the cache:


Tue, 17 Aug 2010 at 17:32:03 GMT Link

2.Jordi Boggiano said:

Looks great, thanks for the wrap up about this. Joined the ML and I very much hope other browser vendors will follow on the spec.

Wed, 18 Aug 2010 at 23:18:28 GMT Link

3.Manuel Lemos said:

I use an alternative solution that consists in putting all Firefox (Thunderbird, Google Chrome, etc..) in TrueCrypt file containers. Then I don't bother with storing my passwords in remote services. My one password is the truecrypt container password. It also gives me additional protection in case my notebook is stolen.

Fri, 20 Aug 2010 at 02:20:49 GMT Link

4.John said:

The windows version doesn't seem to work with your demo :(

Fri, 20 Aug 2010 at 07:00:15 GMT Link

5.John said:

Oh, you need to press "save your password".

Fri, 20 Aug 2010 at 07:09:36 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.