Feature #17021
closed
Add autocomplete="off" to BE login
0%
Description
As a security feature we could add autocomplete="off" to the password field or even the whole login page (and Install Tool).
Most browsers support this:
<INPUT TYPE = "password" NAME = "thePassword" AUTOCOMPLETE = "off">
or
<FORM AUTOCOMPLETE = "off">...</FORM>
You should be aware that this tag is not an official W3C one but still, supported by all major browsers.
(issue imported from #M5046)
Files
Updated by Patrick Gaumond about 17 years ago
Relation with http://bugs.typo3.org/view.php?id=4938 ?
Updated by Oliver Hader about 17 years ago
+1 for doing this on form fields with sensitive data
Updated by Andreas Wolf about 17 years ago
AFAIK the password-fields are not used for auto-completion, or am I wrong? But this would surely be useful for fields with e.g. e-mail-addresses or login-names.
Updated by Bernhard Kraft over 16 years ago
I attached a patch allowing to configure IPs for which autocomplete is disabled to bug 6506.
But only for the username field - the password field will not get autocompleted anyways (browse security)
So you could add:
192.168.*,127.*
which would disable autocomplete for all local IPs
The option in the install tool is called "autocompleteOffIPs"
Updated by Bernhard Kraft over 14 years ago
Added a new patch.
The problem with "autocomplete=off" is W3C validity. The tag is not official, so it renders the complete login page not valid any more (1 error).
The attached patch solves this problem by setting the attribute via JavaScript using the startUp() method already existing.
Updated by Bernhard Kraft over 10 years ago
- Status changed from Accepted to Closed
This isssue is solved by UI improvements in modern browsers "remember password" feature.
No need for changes.