-
FEATURED COMPONENTS
First time here? Check out the FAQ!
I would like to restrict the browsers from asking to remember the password for the application. I have done the below changes in the login page
<zk xmlns:h="http/www.w3.org/1999/xhtml" xmlns:ca="client/attribute">
<h:form action="j_spring_security_check" method="post">
<textbox type="password" ca:autocomplete="off" />
</h:form>
</zk>
This works fine in Firefox and IE8 but not working in Chrome.
I tried to specify the ca:autocomplete="off" for form element but didn't worked.
Thanks in advance
Just use the textbox like this.It will eliminate the browser save password functionality. <textbox id="pwdtb" width="300px" type="password" xmlns:w="client" readonly="true"> <attribute w:name="onBlur"> <attribute w:name="onFocus"> </textbox>
Hello Darksu
This is not working in chrome browser
In case you need some commonly accepted opinions check the OWASP website:
https://www.owasp.org/index.php/TestingforVulnerableRememberPassword_%28OTG-AUTHN-005%29
Which states:
Since early 2014 most major browsers will override any use of autocomplete="off" with regards to password forms and as a result previous checks for this are not required and recommendations should NOT commonly be given for disabling this feature.
Maybe that's some reasoning for your customer to consider. Also it might be time to upgrade their browsers... I'd argue IE8 (on WinXP?) is the greater security risk here to worry about.
Robert
Asked: 2014-05-14 10:52:23 +0800
Seen: 50 times
Last updated: Jun 13 '17