Defect #4043

username/password fields get autocompleted

Added by Stefan Stefansson about 12 years ago. Updated almost 6 years ago.

Status:NewStart date:2009-10-17
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:UI
Target version:-
Resolution: Affected version:

Description

At least in Firefox 3.5, username / password registration fields get autocompleted in places they shouldn't be autocompleted if users opt to have Firefox remember their username/password for login.

I've noticed this behavior in the following places:
  • When editing a specific LDAP connection, my username/password is inserted into the form even though it's supposed to be blank.
  • When changing passwords, the current password field gets autocompleted, this should not happen as this is a security feature and should require the user to actually type in the old password.

It is unclear to me why this is happening in these two places because the fields have different names in the login form on one hand and the LDAP form on the other hand.

I have, however, confirmed this behavior on two different Firefox browsers (although both are Linux versions). I'll try to confirm that this happens in Firefox on Windows as well later.

autocomplete.diff Magnifier - Patch for deactivating autocomplete on login (944 Bytes) Daniel Felix, 2013-02-05 10:54

redmine_autocomplete1.png - autocomplete should be off for Project Settings -> Repository (82.8 KB) Stefan Stefansson, 2013-02-05 12:00

redmine_autocomplete2.png - autocomplete should be off for Administration -> LDAP Authentication -> (edit configuration) (113 KB) Stefan Stefansson, 2013-02-05 12:00

autocomplete_v2.diff Magnifier (2.72 KB) Daniel Felix, 2013-02-05 21:30


Related issues

Related to Redmine - Patch #240: views/user/edit, make password fields not-autocomplete (U... New
Duplicated by Redmine - Defect #25145: Disable Autocomplete in redmine login page Closed

History

#1 Updated by Stefan Stefansson about 12 years ago

Another place this happens is in a projects Setting -> Repository form. There, my usernam/password get automatically filled in even though they're supposed to be empty.

#2 Updated by Ewan Makepeace almost 12 years ago

I had similar problems on one of my own sites and even changing the field names did not solve it - it seems that some browsers see the PASSWORD field type and enter your password for you no matter what you call the field...

#3 Updated by Daniel Felix over 8 years ago

Hi,

I attached a patch for fixing the login autocomplete.

@Stefan: I couldn't found your point. Can you give me some screenshot for this?

#4 Updated by Etienne Massip over 8 years ago

Daniel Felix wrote:

I attached a patch for fixing the login autocomplete.

This should not be set for login but for registration (source:/trunk/app/views/account/register.html.erb@9440).

#5 Updated by Stefan Stefansson over 8 years ago

Attached are two screenshots that I could get (sorry about all the blurring).

The screenshots are from:
1) (in each project) -> Settings -> Repository

Here it autofills the username/password for the repository URL with my login information for Redmine. More often than not there is no username/password needed for this and since this gets autofilled it's particularly bad since that means that when doing any changes you'll need to remember to remove the autofilled information.

2) Administration -> LDAP Authentication -> (pick any available configuration)

Again this autofills with my username/password to the Redmine setup while this field is intended for an LDAP user.

Both of the above fields are registration fields and the general rule should be to set autocomplete to off for any registration fields.

So I will assume that Etienne Massip's suggestion is correct and you should put it in the register.html.erb template. Furthermore it should be put in the templates for the two screenshots I provided (LDAP authentication and Repository settings) and lastly as I pointed out in the original report when the user changes password (I can't provide a screenshot of that or the registration since we have that turned off in our setup, users are created in the LDAP directory).

I hope this is clear enough but I should note that the Redmine version we're running on is getting quite old so there is a chance that paths or locations have changed.

#6 Updated by Daniel Felix over 8 years ago

Sorry, I haven't read "registration", just login. :-)

I attached a newer version. I searched for it but I couldn't find any svn password. Well this could be, as we aren't using SVN anymore. But maybe Jean-Philippe or Toshi know where to find them.

#7 Updated by Go MAEDA almost 6 years ago

Modern browsers don't support autocomplete="off".

IE11+:
https://msdn.microsoft.com/library/ms533486.aspx

As of Internet Explorer 11, the autocomplete property is no longer supported for input type=password fields.

Firefox 30+:
https://www.fxsitecompat.com/en-US/docs/2014/form-autocomplete-off-no-longer-prevents-passwords-from-being-saved/

<form autocomplete="off"> no longer prevents passwords from being saved

Chrome 34+:
http://googlechromereleases.blogspot.ro/2014/04/stable-channel-update.html

Chrome will now offer to remember and fill password fields in the presence of autocomplete=off.

#8 Updated by Go MAEDA over 4 years ago

  • Duplicated by Defect #25145: Disable Autocomplete in redmine login page added

Also available in: Atom PDF