Defect #4043
openusername/password fields get autocompleted
0%
Description
At least in Firefox 3.5, username / password registration fields get autocompleted in places they shouldn't be autocompleted if users opt to have Firefox remember their username/password for login.
I've noticed this behavior in the following places:- When editing a specific LDAP connection, my username/password is inserted into the form even though it's supposed to be blank.
- When changing passwords, the current password field gets autocompleted, this should not happen as this is a security feature and should require the user to actually type in the old password.
It is unclear to me why this is happening in these two places because the fields have different names in the login form on one hand and the LDAP form on the other hand.
I have, however, confirmed this behavior on two different Firefox browsers (although both are Linux versions). I'll try to confirm that this happens in Firefox on Windows as well later.
Files
Related issues
Updated by Stefan Stefansson about 15 years ago
Another place this happens is in a projects Setting -> Repository form. There, my usernam/password get automatically filled in even though they're supposed to be empty.
Updated by Ewan Makepeace about 15 years ago
I had similar problems on one of my own sites and even changing the field names did not solve it - it seems that some browsers see the PASSWORD field type and enter your password for you no matter what you call the field...
Updated by Daniel Felix almost 12 years ago
- File autocomplete.diff autocomplete.diff added
Hi,
I attached a patch for fixing the login autocomplete.
Stefan Heinsen: I couldn't found your point. Can you give me some screenshot for this?
Updated by Etienne Massip almost 12 years ago
Daniel Felix wrote:
I attached a patch for fixing the login autocomplete.
This should not be set for login but for registration (source:/trunk/app/views/account/register.html.erb@9440).
Updated by Stefan Stefansson almost 12 years ago
- File redmine_autocomplete1.png redmine_autocomplete1.png added
- File redmine_autocomplete2.png redmine_autocomplete2.png added
Attached are two screenshots that I could get (sorry about all the blurring).
The screenshots are from:
1) (in each project) -> Settings -> Repository
Here it autofills the username/password for the repository URL with my login information for Redmine. More often than not there is no username/password needed for this and since this gets autofilled it's particularly bad since that means that when doing any changes you'll need to remember to remove the autofilled information.
2) Administration -> LDAP Authentication -> (pick any available configuration)
Again this autofills with my username/password to the Redmine setup while this field is intended for an LDAP user.
Both of the above fields are registration fields and the general rule should be to set autocomplete to off for any registration fields.
So I will assume that Etienne Massip's suggestion is correct and you should put it in the register.html.erb template. Furthermore it should be put in the templates for the two screenshots I provided (LDAP authentication and Repository settings) and lastly as I pointed out in the original report when the user changes password (I can't provide a screenshot of that or the registration since we have that turned off in our setup, users are created in the LDAP directory).
I hope this is clear enough but I should note that the Redmine version we're running on is getting quite old so there is a chance that paths or locations have changed.
Updated by Daniel Felix almost 12 years ago
- File autocomplete_v2.diff autocomplete_v2.diff added
Sorry, I haven't read "registration", just login. :-)
I attached a newer version. I searched for it but I couldn't find any svn password. Well this could be, as we aren't using SVN anymore. But maybe Jean-Philippe or Toshi know where to find them.
Updated by Go MAEDA about 9 years ago
Modern browsers don't support autocomplete="off".
IE11+:
https://msdn.microsoft.com/library/ms533486.aspx
As of Internet Explorer 11, the autocomplete property is no longer supported for input type=password fields.
<form autocomplete="off"> no longer prevents passwords from being saved
Chrome 34+:
http://googlechromereleases.blogspot.ro/2014/04/stable-channel-update.html
Chrome will now offer to remember and fill password fields in the presence of autocomplete=off.
Updated by Go MAEDA almost 8 years ago
- Has duplicate Defect #25145: Disable Autocomplete in redmine login page added