Project

General

Profile

Actions

Defect #4043

open

username/password fields get autocompleted

Added by Stefan Stefansson over 14 years ago. Updated over 8 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
UI
Target version:
-
Start date:
2009-10-17
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

At least in Firefox 3.5, username / password registration fields get autocompleted in places they shouldn't be autocompleted if users opt to have Firefox remember their username/password for login.

I've noticed this behavior in the following places:
  • When editing a specific LDAP connection, my username/password is inserted into the form even though it's supposed to be blank.
  • When changing passwords, the current password field gets autocompleted, this should not happen as this is a security feature and should require the user to actually type in the old password.

It is unclear to me why this is happening in these two places because the fields have different names in the login form on one hand and the LDAP form on the other hand.

I have, however, confirmed this behavior on two different Firefox browsers (although both are Linux versions). I'll try to confirm that this happens in Firefox on Windows as well later.


Files

autocomplete.diff (944 Bytes) autocomplete.diff Patch for deactivating autocomplete on login Daniel Felix, 2013-02-05 10:54
redmine_autocomplete1.png (82.8 KB) redmine_autocomplete1.png autocomplete should be off for Project Settings -> Repository Stefan Stefansson, 2013-02-05 12:00
redmine_autocomplete2.png (113 KB) redmine_autocomplete2.png autocomplete should be off for Administration -> LDAP Authentication -> (edit configuration) Stefan Stefansson, 2013-02-05 12:00
autocomplete_v2.diff (2.72 KB) autocomplete_v2.diff Daniel Felix, 2013-02-05 21:30

Related issues

Related to Redmine - Patch #240: views/user/edit, make password fields not-autocomplete (UI fix)NewJean-Philippe Lang

Actions
Has duplicate Redmine - Defect #25145: Disable Autocomplete in redmine login pageClosed

Actions
Actions #1

Updated by Stefan Stefansson over 14 years ago

Another place this happens is in a projects Setting -> Repository form. There, my usernam/password get automatically filled in even though they're supposed to be empty.

Actions #2

Updated by Ewan Makepeace over 14 years ago

I had similar problems on one of my own sites and even changing the field names did not solve it - it seems that some browsers see the PASSWORD field type and enter your password for you no matter what you call the field...

Actions #3

Updated by Daniel Felix about 11 years ago

Hi,

I attached a patch for fixing the login autocomplete.

Stefan Heinsen: I couldn't found your point. Can you give me some screenshot for this?

Actions #4

Updated by Etienne Massip about 11 years ago

Daniel Felix wrote:

I attached a patch for fixing the login autocomplete.

This should not be set for login but for registration (source:/trunk/app/views/account/register.html.erb@9440).

Actions #5

Updated by Stefan Stefansson about 11 years ago

Attached are two screenshots that I could get (sorry about all the blurring).

The screenshots are from:
1) (in each project) -> Settings -> Repository

Here it autofills the username/password for the repository URL with my login information for Redmine. More often than not there is no username/password needed for this and since this gets autofilled it's particularly bad since that means that when doing any changes you'll need to remember to remove the autofilled information.

2) Administration -> LDAP Authentication -> (pick any available configuration)

Again this autofills with my username/password to the Redmine setup while this field is intended for an LDAP user.

Both of the above fields are registration fields and the general rule should be to set autocomplete to off for any registration fields.

So I will assume that Etienne Massip's suggestion is correct and you should put it in the register.html.erb template. Furthermore it should be put in the templates for the two screenshots I provided (LDAP authentication and Repository settings) and lastly as I pointed out in the original report when the user changes password (I can't provide a screenshot of that or the registration since we have that turned off in our setup, users are created in the LDAP directory).

I hope this is clear enough but I should note that the Redmine version we're running on is getting quite old so there is a chance that paths or locations have changed.

Actions #6

Updated by Daniel Felix about 11 years ago

Sorry, I haven't read "registration", just login. :-)

I attached a newer version. I searched for it but I couldn't find any svn password. Well this could be, as we aren't using SVN anymore. But maybe Jean-Philippe or Toshi know where to find them.

Actions #7

Updated by Go MAEDA over 8 years ago

Modern browsers don't support autocomplete="off".

IE11+:
https://msdn.microsoft.com/library/ms533486.aspx

As of Internet Explorer 11, the autocomplete property is no longer supported for input type=password fields.

Firefox 30+:
https://www.fxsitecompat.com/en-US/docs/2014/form-autocomplete-off-no-longer-prevents-passwords-from-being-saved/

<form autocomplete="off"> no longer prevents passwords from being saved

Chrome 34+:
http://googlechromereleases.blogspot.ro/2014/04/stable-channel-update.html

Chrome will now offer to remember and fill password fields in the presence of autocomplete=off.

Actions #8

Updated by Go MAEDA about 7 years ago

  • Has duplicate Defect #25145: Disable Autocomplete in redmine login page added
Actions

Also available in: Atom PDF