Browsers offer to store usernames and passwords.
When my users say yes to that offer, username and password are filled in by default which is a major security leak.
I’ve tryed autocomplete=‘off’ but it doesn’t help.
How do I set my yii login page so that users can not store their credentials?
Thank you in advance
Can you show the code that you tried (in context)? It’s not clear exactly what you did.
just a simple login form with autocomplete=off…
my question is about browsers in general… they ask users if they wish to store their usernames and passwords…
if the user says yes, the credentials are automatically filled.
there must be something that can be done about this… maybe disabling cookies somehow…
<?php
/* @var $this SiteController */
/* @var $model LoginForm */
/* @var $form CActiveForm */
$this->pageTitle=Yii::app()->name . ' - Login';
$this->breadcrumbs=array(
'Login',
);
?>
<h1>Login</h1>
<p><?php
echo Yii::t('seguranca','Please fill out the following form with your login credentials');
?>
:</p>
<div class="form">
<?php $form=$this->beginWidget('CActiveForm', array(
'id'=>'login-form',
'enableClientValidation'=>true,
'clientOptions'=>array('validateOnSubmit'=>true,),
'htmlOptions' => array('autoComplete'=>'off'),
)); ?>
<p class="note"><?php echo Yii::t('seguranca','Fields with'); ?>
<span class="required">*</span> <?php echo Yii::t('seguranca','are required'); ?> .</p>
<div class="row">
<?php echo $form->labelEx($model,'username'); ?>
<?php echo $form->textField($model,'username'); ?>
<?php echo $form->error($model,'username'); ?>
</div>
<div class="row">
<?php echo $form->labelEx($model,'password'); ?>
<?php echo $form->passwordField($model,'password'); ?>
<?php echo $form->error($model,'password'); ?>
</div>
<!--div class="row rememberMe">
<?php //echo $form->checkBox($model,'rememberMe'); ?>
<?php //echo $form->label($model,'rememberMe'); ?>
<?php //echo $form->error($model,'rememberMe'); ?>
</div-->
<div class="row buttons">
<?php echo CHtml::submitButton('Login'); ?>
</div>
<?php $this->endWidget(); ?>
</div><!-- form -->
I don’t think there’s a standardized cross-browser solution to your problem, but if you can find one, think twice before implementing it. By disabling autofill in the browsers you will encourage users who rely on this feature to find other “creative” solutions and they will either write down their passwords and store it near to their computers or use easy-to-remember (=weak) passwords. None of the above will really improve security.
So, How do banks and other secure sites do it?
When I use my homebanking website chrome doesn’t ask me if I want to store the username and password.
There must be a way…
Attach autocomplete tag to the input fields, not the form.
Any new ideas for preventing Chrome from storing/rendering the user’s password?
It does not help to clear the password field with $(document).on(‘ready/load’, because Chrome simply displays the password again thereafter.
I haven’t tried this before but maybe naming the field differently might help. Something instead of ‘password’.
Hi Bizley
If you don’t use type=“password”, then the browser displays the password text. Even if you could display something else via CSS, it would probably be insecure.
My bank uses type="password", but still Chrome does not display the stored/previous password. So there must be a way.
They have
<input ondragstart="return false" onselectstart="return false" value="" class="ui-form-field ui-textBox ui-keypad-input-selected vi-activeElement" style="width:132px; height:18px; line-height:18px; vertical-align:middle;" name="PIN" id="j_pin" maxlengthdev="5" ondrag="return false" oncopy="return false" autocomplete="off" bbf_required="true" requiredtext="Field is required." schematypetext="Only numeric values are allowed" showmehow="The PIN must be numeric and cannot contain alpha characters, e.g. *, #, @ or a, b, c. The PIN can be either four or five digits long." messageref=".errorMessage" type="password" tabindex="0" aria-invalid="false" aria-required="true" aria-labelledby="id-5822">
I meant ‘name’ not ‘type’. Instead of
<input type="password" name="password">
use for example
<input type="password" name="secret">
But I don’t think it will work anyway. Is setting placeholder preventing the field from filling it with saved data?
No luck there either.