[Owasp-egypt] Autocomplete='off' Phasing Out

A. Saafan a.m.saafan at gmail.com
Sun Oct 12 07:26:45 UTC 2014


Now that autcomplete='off' HTML attribute is being phased out [1
<https://bugzilla.mozilla.org/show_bug.cgi?id=956906>] [2
<http://msdn.microsoft.com/en-us/library/ie/ms533486>] [3
I found people using some workarounds:

·         *Split username and password to separate pages*: This is the more
elegant solution, adopted by security conscious websites. It relies on the
fact that browser autocomplete cannot catch username from one page and
password from another (with validation at the end).

·         *Move username and password values to hidden fields before submit*:
This is a JavaScript workaround. Just before submit, a script removes the
values from the viewable form fields and move them to hidden form fields.
So the browser will not try to cache the displayed fields because they are
empty, and by default it will not cache the hidden fields.

Thoughts? Other suggestions?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-egypt/attachments/20141012/d2281c3d/attachment.html>

More information about the Owasp-egypt mailing list