I have a basic PHP based website running on a local WAMP server.
I am trying to turn the auto-complete function off the form, but am running into issues.
Code is:
But to no avail, is my syntax messed up?
Thanks Wayne
According to Mozilla Developer Network ...
The autocomplete attribute in a form typically has two effects.
it stops the browser saving field data for later autocompletion on similar forms though heuristics that vary by browser.
it stops the browser caching form data in session history. When form data is cached in session history, the information the user has filled in will be visible after the user has submitted the form and clicked on the Back button to go back to the original form page.
However, there is a caveat for login username/password fields where browsers normally don't apply this.
Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills those login fields with the stored values.
So if you've saved the username/password login information in your browser by choosing to remember the login for that site you likely will still see them autofilled by your browser.
Here's a link for removing these saved logins from different browsers that might help.
HTML5 autocomplete lacks feature, why not use Datalist?
You specify a list of possible values for an input of your html form.
modify your form element to include type
<form list="cars" method="post" action="index.php" name="loginform" id="loginform">
<datalist id="cars">
<option value="Ferrari">
<option value="Lamborghini">
<option value="Porsche">
<option value="Maserati">
<option value="Aston Martin">
</datalist>
Of course modify the list attribute to fit your needs.
Related
Is there any way to stop this behavour?
<div class="form-group">
<label for="user-profile-name-input">Name</label>
<input type="text" id="user-profile-name-input" class="form-control" aria-describedby="name" placeholder="Name" value="...">
</div>
So every time a change anything is this input field and navigate to a new page within my website, the browser prompts me if I would like to update my username for the saved password of the site.
Is there any way to stop this behaviour?
I trying adding autocomplete=off but there was no change.
-----
UPDATE
Ok so I managed to figure it out. It was an error on my part. Keeping this post here incase anyone else encounters this issue.
I have a couple of bootstrap modals on the same page. One of them has a type=password input. Since these are not completely removed when hidden the browser still has a reference to the password input.
I removed the modal and the browser is no longer prompting for me to update my username to the saved password every time i change a value in an input field.
Make sure you dont have a hidden input "type=password" somewhere on your page.
What you're asking for cannot be done at a code level. The behavior you're experiencing is browser specific and is something that can only be turned off by the user themselves if they choose to.
An example of how you can turn it off in Chrome here.
The browser recognizes the input field as a password field and therefore prompts for a password save, since the browser does not have a password stored for that specific page. Clicking "Never" will only stop the prompt for that page specifically, and any future page will still continue to prompt you until you completely disable the feature.
There are some hacky, tacky solutions to your problem if you really wanna go about it - check this post for instance, or this one. However, I strongly recommend that you don't use them as they are detrimental to the user experience. Let the user decide whether they want the feature or not.
That's a default functionality provided by chrome to save your credentials while you enter your credentials in your account in browser and not to repeat the credentials when you are trying to re login. There's no way to stop it by using HTML code.
I am working on a project which involves setting up a bunch of dashboards around the office. The plan is to use Screenly on Raspberry Pi 3s, as it seems to fit our needs for the most part at a very low cost. The problem is, some of the webpages that need to be displayed are locked behind a login. Screenly doesn't have a way to get past this, other than passing the login information and the page redirect through the URL itself. I am aware of the potential security issues this could bring, which is why the account we crated for this use can only view (and not edit) very specific pages.
I want to pass login information through a URL in order to login to a website and directly access a specific page on that website. I have had success passing login information in the form of:
https://website.com/dologin.action?username=CapnCrunch&password=Fr00tl00ps&login=Log+in&os_destination=%2Fpages%2Fviewpage.action%3FpageId%58008
This works nicely when the username and password attribute names are always the same, but not when they change on every refresh. Instead of the HTML attributes for the username box remaining the same every time the login page is accessed, they change slightly every time.
For example, these are the HTML attributes for the username upon loading the page for the first time:
<input name="ct100$phUser$txtUser8193" type"text" id="txtUser8193"
class="login_user border-box" placeholder="My Username">
But when I refresh the page, this same bit of HTML code changes to:
<input name="ct100$phUser$txtUser5516" type"text" id="txtUser5516"
class="login_user border-box" placeholder="My Username">
I would love to pass the URL arguments in the form of:
dologin.action?ct100$phUser$txtUserXxXx=CapnCrunch
Where XxXx is just whatever number the page decided to use at that time.
All the solutions I have found online include using external scripts of some kind. The problem is, Screenly only accepts URLs. Using a script would involve either editing Screenly's source code, or using a proxy webpage.
Is there any way to get around the changing attribute name without using external scripts?
Thanks in advance
I found same type of question question1 and question2
that gave as autocomplete="off" but this solution didn't work for chrome-40(firefox, IE, Safari work fine)
note: I didn't post code herewith that is very basic html login page
I've successfully disabled Chrome 40 password save by putting the following code on the destination page, i.e. where the user ends up after submitting the form:
<form action="" method="POST" autocomplete="off">
<input type="password" name="password0" style="visibility: hidden">
</form>
Note that you have to use visibility: hidden in the CSS. Using display: none (or not having a password field at all) will not prevent password save. It's probably also necessary that the name of the password field matches the one on the form that the user submitted.
Also note that preventing users from saving web passwords is evil. I needed this because we allow users to change the password for a non-web based system via a web page, so saving the password makes absolutely no sense. For a normal web site you should not deprive users the right to save passwords.
I received a bug report this morning that browsers were offering to remember the password from our website's sign up form, but not regurgitating it on the login form afterwards.
My initial suggestion was to disable autocomplete on the password field of the signup form so that users wouldn't have the option to store credentials until they logged in for the first time.
However, my project manager asked me to research exactly that, whether or not it's possible to have browsers store credentials after submitting an account creation form and then properly fill in the login form upon later visits to the site?
Besides this convoluted explanation, I don't even know where to begin researching, so I'm turning to the community to see if you guys can point me in the right direction, or at least give me the right words to search for.
Thanks!!
Did you disable autocomplete on one field or complete tag?
Disable browser 'Save Password' functionality
<form id="loginForm" action="login.cgi" method="post" autocomplete="off">
Here is a rough "save as" from a basic contact details web app that I am using:
http://dtbaker.net/files/webfiles/auto-complete-issues.html
Whenever I am on a "contact" page it puts my saved username into the "new group" box and my saved password into the "set password" box, as shown in this screenshot:
As you can see in the HTML code linked above, the non-standard autocomplete=off attribute is used on the "group" input box:
<input type="text" name="group_module_name[user][new]" autocomplete="off">
and it's even in the password input box:
<input type="password" name="password_new" autocomplete="off" value="">
The problem here is that every time I click "Save Contact" it will overwrite this contacts password with my saved password and create a new Contact Group named the same as my username.
Ideas anyone?
The reason browsers are ignoring autocomplete=off is because there have been some web-sites that tried to disable auto-completing of passwords.
That is wrong; and in July 2014 Firefox was the last major browser to finally implement the change to ignore any web-site that tries to turn off autocompleting of passwords.
Bugzilla Bug 956906 - ignore autocomplete="off" when offering to save passwords via the password manager
Reddit discussion
Chrome's announcement when they began ignoring autocomplete=off
Any attempt by any web-site to circumvent the browser's preference is wrong, that is why browsers ignore it. There is no reason known why a web-site should try to disable saving of passwords.
Chrome ignores it
Safari ignores it
IE ignores it
Firefox ignores it
What if I'm a special snowflake?
There are people who bring up a good use-case:
I have a shared, public area, kiosk style computer. We don't want someone to (accidentally or intentionally) save their password so they next user could use it.
That does not violate the statement:
Any attempt by any web-site to circumvent the browser's preference is wrong
That is because in the case of a shared kiosk:
it is not the web-server that has the oddball policy
it is the client user-agent
The browser (the shared computer) is the one that has the requirement that it not try to save passwords. The correct way to prevent the browser from saving passwords, is to configure the browser to not save passwords. Since you have locked down and control this kiosk computer: you control the settings. That includes the option of saving passwords.
In Chrome and Internet Explorer, you configure those options using Group Policies (e.g. registry keys).
From the Chrome Policy List:
AutoFillEnabled
Enable AutoFill
Data type: Boolean (REG_DWORD)
Windows registry location: Software\Policies\Chromium\AutoFillEnabled
Description: Enables Chromium's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.
If you want your browser to stop autocompleting entries, then you need to configure your browser to match your preferences. No web-site, or security auditor, should attempt to force their opinions on me. There is no reason why my browser, sitting in my home, under my lock and key, should be prevented from saving anything i want - it's my browser.
Please pass the word that trying to disable autocompleting of password is wrong, browsers are intentionally ignoring anyone who tries to do it, and they should stop doing the wrong thing.™
I Fixed issue by adding dummy input field with dynamic name and ID
<input type="password" id="dummytoavoidAutoFill<?php echo date('ljSFYhisA');?>" name="dummytoavoidAutoFillFBN" value="" style="display:none;"/>