username/password fields get autocompleted
At least in Firefox 3.5, username / password fields get autocompleted in places they shouldn't be autocompleted if users opt to have Firefox remember their username/password for login.I've noticed this behavior in the following places:
- When editing a specific LDAP connection, my username/password is inserted into the form even though it's supposed to be blank.
- When changing passwords, the current password field gets autocompleted, this should not happen as this is a security feature and should require the user to actually type in the old password.
It is unclear to me why this is happening in these two places because the fields have different names in the login form on one hand and the LDAP form on the other hand.
I have, however, confirmed this behavior on two different Firefox browsers (although both are Linux versions). I'll try to confirm that this happens in Firefox on Windows as well later.
#4 Updated by Etienne Massip over 8 years ago
Daniel Felix wrote:
I attached a patch for fixing the login autocomplete.
This should not be set for login but for registration (source:/trunk/app/views/account/register.html.erb@9440).
#5 Updated by Stefan Stefansson over 8 years ago
Attached are two screenshots that I could get (sorry about all the blurring).
The screenshots are from:
1) (in each project) -> Settings -> Repository
Here it autofills the username/password for the repository URL with my login information for Redmine. More often than not there is no username/password needed for this and since this gets autofilled it's particularly bad since that means that when doing any changes you'll need to remember to remove the autofilled information.
2) Administration -> LDAP Authentication -> (pick any available configuration)
Again this autofills with my username/password to the Redmine setup while this field is intended for an LDAP user.
Both of the above fields are fields and the general rule should be to set autocomplete to off for fields.
So I will assume that Etienne Massip's suggestion is correct and you should put it in the register.html.erb template. Furthermore it should be put in the templates for the two screenshots I provided (LDAP authentication and Repository settings) and lastly as I pointed out in the original report when the user changes password (I can't provide a screenshot of that or the registration since we have that turned off in our setup, users are created in the LDAP directory).
I hope this is clear enough but I should note that the Redmine version we're running on is getting quite old so there is a chance that paths or locations have changed.
#6 Updated by Daniel Felix over 8 years ago
- File autocomplete_v2.diff added
Sorry, I haven't read "registration", just login. :-)
I attached a newer version. I searched for it but I couldn't find any svn password. Well this could be, as we aren't using SVN anymore. But maybe Jean-Philippe or Toshi know where to find them.
#7 Updated by Go MAEDA almost 6 years ago
Modern browsers don't support autocomplete="off".
As of Internet Explorer 11, the autocomplete property is no longer supported for input type=password fields.
<form autocomplete="off"> no longer prevents passwords from being saved
Chrome will now offer to remember and fill password fields in the presence of autocomplete=off.