Rectangle 27 1953

Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client. Note the following commentary from May 5, 2014:

  • The password manager always prompts if it wants to save a password. Passwords are not saved without permission from the user.
  • We are the third browser to implement this change, after IE and Chrome.

According to Mozilla developer documentation the form element attribute autocomplete prevents form data from being cached in older browsers.

<input type="text" name="foo" autocomplete="off" />

This did not work for me in Firefox 3.0.3 I had to put the autocomplete attribute in the FORM rather than the INPUT.

Autocomplete is only defined in the HTML 5 standards, so it will break any validations you run against HTML 4.*...

@Winston, you should put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

And remember to disable your autocomplete = on extension (if you're using Chrome) before you test your webapp. Else you'll feel real silly like me. ;)

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 1953

Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client. Note the following commentary from May 5, 2014:

Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client. Note the following commentary from May 5, 2014:

  • The password manager always prompts if it wants to save a password. Passwords are not saved without permission from the user.
  • The password manager always prompts if it wants to save a password. Passwords are not saved without permission from the user.
  • We are the third browser to implement this change, after IE and Chrome.
  • We are the third browser to implement this change, after IE and Chrome.

According to Mozilla developer documentation the form element attribute autocomplete prevents form data from being cached in older browsers.

According to Mozilla developer documentation the form element attribute autocomplete prevents form data from being cached in older browsers.

<input type="text" name="foo" autocomplete="off" />
<input type="text" name="foo" autocomplete="off" />

This did not work for me in Firefox 3.0.3 I had to put the autocomplete attribute in the FORM rather than the INPUT.

This did not work for me in Firefox 3.0.3 I had to put the autocomplete attribute in the FORM rather than the INPUT.

Autocomplete is only defined in the HTML 5 standards, so it will break any validations you run against HTML 4.*...

Autocomplete is only defined in the HTML 5 standards, so it will break any validations you run against HTML 4.*...

@Winston, you should put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

@Winston, you should put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

And remember to disable your autocomplete = on extension (if you're using Chrome) before you test your webapp. Else you'll feel real silly like me. ;)

And remember to disable your autocomplete = on extension (if you're using Chrome) before you test your webapp. Else you'll feel real silly like me. ;)

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 1945

Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client. Note the following commentary from May 5, 2014:

  • The password manager always prompts if it wants to save a password. Passwords are not saved without permission from the user.
  • We are the third browser to implement this change, after IE and Chrome.

According to Mozilla developer documentation the form element attribute autocomplete prevents form data from being cached in older browsers.

<input type="text" name="foo" autocomplete="off" />

This did not work for me in Firefox 3.0.3 I had to put the autocomplete attribute in the FORM rather than the INPUT.

Autocomplete is only defined in the HTML 5 standards, so it will break any validations you run against HTML 4.*...

@Winston, you should put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

And remember to disable your autocomplete = on extension (if you're using Chrome) before you test your webapp. Else you'll feel real silly like me. ;)

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 213

In addition to autocomplete=off, you could also have your form fields names be randomized by the code that generates the page, perhaps by adding some session-specific string to the end of the names. When the form is submitted, you can strip that part off before processing them on the server side. This would prevent the web browser from finding context for your field and also might help prevent XSRF attacks because an attacker wouldn't be able to guess the field names for a form submission.

In addition to autocomplete=off, you could also have your form fields names be randomized by the code that generates the page, perhaps by adding some session-specific string to the end of the names. When the form is submitted, you can strip that part off before processing them on the server side. This would prevent the web browser from finding context for your field and also might help prevent XSRF attacks because an attacker wouldn't be able to guess the field names for a form submission.

An interesting alternative which may help with browsers that don't support the AutoComplete attribute!

An interesting alternative which may help with browsers that don't support the AutoComplete attribute!

This is a much better solution compared to using autocomplete="off". All you have to do is generate a new name on every page load and save that name to a $_SESSION for future use: $_SESSION['codefield_name'] = md5(uniqid('auth', true));

This is a much better solution compared to using autocomplete="off". All you have to do is generate a new name on every page load and save that name to a $_SESSION for future use: $_SESSION['codefield_name'] = md5(uniqid('auth', true));

No, this is not a better solution, because the origin of preference for this setting is user agent also known as the web browser. There is a difference between supporting certain behaviour (which HTML 5 attempts to do) and forcing it by deciding on behalf of the user, which you suggest is a "much better solution".

No, this is not a better solution, because the origin of preference for this setting is user agent also known as the web browser. There is a difference between supporting certain behaviour (which HTML 5 attempts to do) and forcing it by deciding on behalf of the user, which you suggest is a "much better solution".

This solution can work with all browsers, so in that respect it is "better". Still, amn is correct, deciding to disable autocomplete on behalf of your users is not a good idea. This means I would only disable autocomplete in very specific situations, such as when you plan to build your own autocomplete functionality and don't want conflicts or strange behavior.

This solution can work with all browsers, so in that respect it is "better". Still, amn is correct, deciding to disable autocomplete on behalf of your users is not a good idea. This means I would only disable autocomplete in very specific situations, such as when you plan to build your own autocomplete functionality and don't want conflicts or strange behavior.

Regarding XSRF attacks, I'm not sure what type of attack you were picturing, but couldn't the attacker just strip off the end part the same way you do server-side to identify the fields? Or if the attacker is posting the fields, couldn't they append their own random string since it'll be stripped off by the server?

Regarding XSRF attacks, I'm not sure what type of attack you were picturing, but couldn't the attacker just strip off the end part the same way you do server-side to identify the fields? Or if the attacker is posting the fields, couldn't they append their own random string since it'll be stripped off by the server?

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 213

In addition to autocomplete=off, you could also have your form fields names be randomized by the code that generates the page, perhaps by adding some session-specific string to the end of the names. When the form is submitted, you can strip that part off before processing them on the server side. This would prevent the web browser from finding context for your field and also might help prevent XSRF attacks because an attacker wouldn't be able to guess the field names for a form submission.

An interesting alternative which may help with browsers that don't support the AutoComplete attribute!

This is a much better solution compared to using autocomplete="off". All you have to do is generate a new name on every page load and save that name to a $_SESSION for future use: $_SESSION['codefield_name'] = md5(uniqid('auth', true));

No, this is not a better solution, because the origin of preference for this setting is user agent also known as the web browser. There is a difference between supporting certain behaviour (which HTML 5 attempts to do) and forcing it by deciding on behalf of the user, which you suggest is a "much better solution".

This solution can work with all browsers, so in that respect it is "better". Still, amn is correct, deciding to disable autocomplete on behalf of your users is not a good idea. This means I would only disable autocomplete in very specific situations, such as when you plan to build your own autocomplete functionality and don't want conflicts or strange behavior.

Regarding XSRF attacks, I'm not sure what type of attack you were picturing, but couldn't the attacker just strip off the end part the same way you do server-side to identify the fields? Or if the attacker is posting the fields, couldn't they append their own random string since it'll be stripped off by the server?

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 213

In addition to autocomplete=off, you could also have your form fields names be randomized by the code that generates the page, perhaps by adding some session-specific string to the end of the names. When the form is submitted, you can strip that part off before processing them on the server side. This would prevent the web browser from finding context for your field and also might help prevent XSRF attacks because an attacker wouldn't be able to guess the field names for a form submission.

An interesting alternative which may help with browsers that don't support the AutoComplete attribute!

This is a much better solution compared to using autocomplete="off". All you have to do is generate a new name on every page load and save that name to a $_SESSION for future use: $_SESSION['codefield_name'] = md5(uniqid('auth', true));

No, this is not a better solution, because the origin of preference for this setting is user agent also known as the web browser. There is a difference between supporting certain behaviour (which HTML 5 attempts to do) and forcing it by deciding on behalf of the user, which you suggest is a "much better solution".

This solution can work with all browsers, so in that respect it is "better". Still, amn is correct, deciding to disable autocomplete on behalf of your users is not a good idea. This means I would only disable autocomplete in very specific situations, such as when you plan to build your own autocomplete functionality and don't want conflicts or strange behavior.

Regarding XSRF attacks, I'm not sure what type of attack you were picturing, but couldn't the attacker just strip off the end part the same way you do server-side to identify the fields? Or if the attacker is posting the fields, couldn't they append their own random string since it'll be stripped off by the server?

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 153

Most of the major browsers and password managers (correctly, IMHO) now ignore autocomplete=off.

Why? Many banks and other "high security" websites added autocomplete=off to their login pages "for security purposes" but this actually decreases security since it causes people to change the passwords on these high security sites to be easy to remember (and thus crack) since autocomplete was broken.

Long ago most password managers started ignoring autocomplete=off, and now the browsers are starting to do the same for username/password inputs only.

Unfortunately bugs in the autocomplete implementations insert username and/or password info into inappropriate form fields, causing form validation errors, or worse yet, accidentally inserting usernames into fields that were intentionally left blank by the user.

What's a web developer to do?

  • If you can keep all password fields on a page by themselves, that's a great start as it seems that the presence of a password field is the main trigger for user/pass autocomplete to kick in. Otherwise, read the tips below.
  • Safari notices that there are 2 password fields and disables autocomplete in this case, assuming it must be a change password form, not a login form. So just be sure to use 2 password fields (new and confirm new) for any forms where you allow

Chrome 34 unfortunately will try to autofill fields with user/pass whenever it sees a password field. This is quite a bad bug that hopefully they will change to the Safari behavior. However, adding this to the top of your form seems to disable the password autofilling:

<input type="text" style="display:none">
<input type="password" style="display:none">

I haven't yet investigated IE or Firefox thoroughly but will be happy to update the answer if others have info in the comments.

what do you mean with "adding this on your page seems to disable autofill for the page:"

<form>

@wutzebaer, Chrome notices the hidden password field and halts auto-complete. Reportedly this is to prevent the site stealing password info without the user noticing.

Your snippet of code prevent autocompletes for login fields on Chrome, Firefox, IE 8 and IE 10. Did not test IE 11. Good stuff! Only simple answer that still works.

Your safari note seems to work on Chrome too, at least as of Dec 2015. I had a username and password field on a registration form that was autocompleting with data from the login form. Creating two type='password' fields on the one page caused the browser's "save password" autocomplete to be ignored, which made a whole load of sense since registration forms tend to ask for the password twice when login forms only ask for it once.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 153

Most of the major browsers and password managers (correctly, IMHO) now ignore autocomplete=off.

Why? Many banks and other "high security" websites added autocomplete=off to their login pages "for security purposes" but this actually decreases security since it causes people to change the passwords on these high security sites to be easy to remember (and thus crack) since autocomplete was broken.

Long ago most password managers started ignoring autocomplete=off, and now the browsers are starting to do the same for username/password inputs only.

Unfortunately bugs in the autocomplete implementations insert username and/or password info into inappropriate form fields, causing form validation errors, or worse yet, accidentally inserting usernames into fields that were intentionally left blank by the user.

What's a web developer to do?

  • If you can keep all password fields on a page by themselves, that's a great start as it seems that the presence of a password field is the main trigger for user/pass autocomplete to kick in. Otherwise, read the tips below.
  • Safari notices that there are 2 password fields and disables autocomplete in this case, assuming it must be a change password form, not a login form. So just be sure to use 2 password fields (new and confirm new) for any forms where you allow

Chrome 34 unfortunately will try to autofill fields with user/pass whenever it sees a password field. This is quite a bad bug that hopefully they will change to the Safari behavior. However, adding this to the top of your form seems to disable the password autofilling:

<input type="text" style="display:none">
<input type="password" style="display:none">

I haven't yet investigated IE or Firefox thoroughly but will be happy to update the answer if others have info in the comments.

what do you mean with "adding this on your page seems to disable autofill for the page:"

<form>

@wutzebaer, Chrome notices the hidden password field and halts auto-complete. Reportedly this is to prevent the site stealing password info without the user noticing.

Your snippet of code prevent autocompletes for login fields on Chrome, Firefox, IE 8 and IE 10. Did not test IE 11. Good stuff! Only simple answer that still works.

Your safari note seems to work on Chrome too, at least as of Dec 2015. I had a username and password field on a registration form that was autocompleting with data from the login form. Creating two type='password' fields on the one page caused the browser's "save password" autocomplete to be ignored, which made a whole load of sense since registration forms tend to ask for the password twice when login forms only ask for it once.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 153

Most of the major browsers and password managers (correctly, IMHO) now ignore autocomplete=off.

Most of the major browsers and password managers (correctly, IMHO) now ignore autocomplete=off.

Why? Many banks and other "high security" websites added autocomplete=off to their login pages "for security purposes" but this actually decreases security since it causes people to change the passwords on these high security sites to be easy to remember (and thus crack) since autocomplete was broken.

Why? Many banks and other "high security" websites added autocomplete=off to their login pages "for security purposes" but this actually decreases security since it causes people to change the passwords on these high security sites to be easy to remember (and thus crack) since autocomplete was broken.

Long ago most password managers started ignoring autocomplete=off, and now the browsers are starting to do the same for username/password inputs only.

Long ago most password managers started ignoring autocomplete=off, and now the browsers are starting to do the same for username/password inputs only.

Unfortunately bugs in the autocomplete implementations insert username and/or password info into inappropriate form fields, causing form validation errors, or worse yet, accidentally inserting usernames into fields that were intentionally left blank by the user.

Unfortunately bugs in the autocomplete implementations insert username and/or password info into inappropriate form fields, causing form validation errors, or worse yet, accidentally inserting usernames into fields that were intentionally left blank by the user.

What's a web developer to do?

What's a web developer to do?

  • If you can keep all password fields on a page by themselves, that's a great start as it seems that the presence of a password field is the main trigger for user/pass autocomplete to kick in. Otherwise, read the tips below.
  • If you can keep all password fields on a page by themselves, that's a great start as it seems that the presence of a password field is the main trigger for user/pass autocomplete to kick in. Otherwise, read the tips below.
  • Safari notices that there are 2 password fields and disables autocomplete in this case, assuming it must be a change password form, not a login form. So just be sure to use 2 password fields (new and confirm new) for any forms where you allow
  • Safari notices that there are 2 password fields and disables autocomplete in this case, assuming it must be a change password form, not a login form. So just be sure to use 2 password fields (new and confirm new) for any forms where you allow

Chrome 34 unfortunately will try to autofill fields with user/pass whenever it sees a password field. This is quite a bad bug that hopefully they will change to the Safari behavior. However, adding this to the top of your form seems to disable the password autofilling:

Chrome 34 unfortunately will try to autofill fields with user/pass whenever it sees a password field. This is quite a bad bug that hopefully they will change to the Safari behavior. However, adding this to the top of your form seems to disable the password autofilling:

<input type="text" style="display:none">
<input type="password" style="display:none">
<input type="text" style="display:none">
<input type="password" style="display:none">

I haven't yet investigated IE or Firefox thoroughly but will be happy to update the answer if others have info in the comments.

I haven't yet investigated IE or Firefox thoroughly but will be happy to update the answer if others have info in the comments.

what do you mean with "adding this on your page seems to disable autofill for the page:"

what do you mean with "adding this on your page seems to disable autofill for the page:"

<form>

weird my actual post has some sample code (some input elements) in a "code" format block but they aren't rendering. might be an SO bug?

<form>

@wutzebaer, Chrome notices the hidden password field and halts auto-complete. Reportedly this is to prevent the site stealing password info without the user noticing.

Your snippet of code prevent autocompletes for login fields on Chrome, Firefox, IE 8 and IE 10. Did not test IE 11. Good stuff! Only simple answer that still works.

@wutzebaer, Chrome notices the hidden password field and halts auto-complete. Reportedly this is to prevent the site stealing password info without the user noticing.

Your safari note seems to work on Chrome too, at least as of Dec 2015. I had a username and password field on a registration form that was autocompleting with data from the login form. Creating two type='password' fields on the one page caused the browser's "save password" autocomplete to be ignored, which made a whole load of sense since registration forms tend to ask for the password twice when login forms only ask for it once.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 96

Sometimes even autocomplete=off would not prevent to fill in credentials into wrong fields, but not user or nickname field.

fix browser autofill in: readonly and set writeble on focus (click and tab)

<input type="password" readonly  
     onfocus="this.removeAttribute('readonly');"/>

Update: Mobile Safari sets cursor in the field, but does not show virtual keyboard. New Fix works like before but handles virtual keyboard:

<input id="email" readonly type="email" onfocus="if (this.hasAttribute('readonly')) {
    this.removeAttribute('readonly');
    // fix for mobile safari to show virtual keyboard
    this.blur();    this.focus();  }" />

I notice this strange behavior on Chrome and Safari, when there are password fields in the same form. I guess, the browser looks for a password field to insert your saved credentials. Then it autofills (just guessing due to observation) the nearest textlike-input field, that appears prior the password field in DOM. As the browser is the last instance and you can not control it,

An if there is no javascript then the whole form fails. -1

@JimmyKane the key would be to also add the attribute using javascript in the first place (which dsuess hasn't done here, but just adding for completeness sake).

This doesn't work right in IE8, the readonly password field is not editable the first time you focus it, only after you unfocus and focus again. Nice idea, but unfortunately it's a bit too hacky and not safe to use.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 96

Sometimes even autocomplete=off would not prevent to fill in credentials into wrong fields, but not user or nickname field.

Sometimes even autocomplete=off would not prevent to fill in credentials into wrong fields, but not user or nickname field.

fix browser autofill in: readonly and set writeble on focus (click and tab)

fix browser autofill in: readonly and set writeble on focus (click and tab)

<input type="password" readonly  
     onfocus="this.removeAttribute('readonly');"/>
<input type="password" readonly  
     onfocus="this.removeAttribute('readonly');"/>

Update: Mobile Safari sets cursor in the field, but does not show virtual keyboard. New Fix works like before but handles virtual keyboard:

I notice this strange behavior on Chrome and Safari, when there are password fields in the same form. I guess, the browser looks for a password field to insert your saved credentials. Then it autofills (just guessing due to observation) the nearest textlike-input field, that appears prior the password field in DOM. As the browser is the last instance and you can not control it,

An if there is no javascript then the whole form fails. -1

<input id="email" readonly type="email" onfocus="if (this.hasAttribute('readonly')) {
    this.removeAttribute('readonly');
    // fix for mobile safari to show virtual keyboard
    this.blur();    this.focus();  }" />

@JimmyKane the key would be to also add the attribute using javascript in the first place (which dsuess hasn't done here, but just adding for completeness sake).

I notice this strange behavior on Chrome and Safari, when there are password fields in the same form. I guess, the browser looks for a password field to insert your saved credentials. Then it autofills (just guessing due to observation) the nearest textlike-input field, that appears prior the password field in DOM. As the browser is the last instance and you can not control it,

An if there is no javascript then the whole form fails. -1

@JimmyKane the key would be to also add the attribute using javascript in the first place (which dsuess hasn't done here, but just adding for completeness sake).

This doesn't work right in IE8, the readonly password field is not editable the first time you focus it, only after you unfocus and focus again. Nice idea, but unfortunately it's a bit too hacky and not safe to use.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 94

Sometimes even autocomplete=off would not prevent to fill in credentials into wrong fields, but not user or nickname field.

fix browser autofill in: readonly and set writeble on focus (click and tab)

<input type="password" readonly  
     onfocus="this.removeAttribute('readonly');"/>

Update: Mobile Safari sets cursor in the field, but does not show virtual keyboard. New Fix works like before but handles virtual keyboard:

<input id="email" readonly type="email" onfocus="if (this.hasAttribute('readonly')) {
    this.removeAttribute('readonly');
    // fix for mobile safari to show virtual keyboard
    this.blur();    this.focus();  }" />

I notice this strange behavior on Chrome and Safari, when there are password fields in the same form. I guess, the browser looks for a password field to insert your saved credentials. Then it autofills (just guessing due to observation) the nearest textlike-input field, that appears prior the password field in DOM. As the browser is the last instance and you can not control it,

An if there is no javascript then the whole form fails. -1

@JimmyKane the key would be to also add the attribute using javascript in the first place (which dsuess hasn't done here, but just adding for completeness sake).

This doesn't work right in IE8, the readonly password field is not editable the first time you focus it, only after you unfocus and focus again. Nice idea, but unfortunately it's a bit too hacky and not safe to use.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 90

I've noticed that adding it to the form element doesn't always prevent it from being applied to individual inputs within the form. Therefore it is probably best to place it on the input element directly.

Actually @sholsinger, it's best to put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

Sadly, as of IE 11, Microsoft no longer respects this for input type="password". Hopefully no other browsers choose to remove this functionality.

Setting autocomplete="off" on the form is the only thing that worked for Chrome.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 90

I've noticed that adding it to the form element doesn't always prevent it from being applied to individual inputs within the form. Therefore it is probably best to place it on the input element directly.

Actually @sholsinger, it's best to put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

Sadly, as of IE 11, Microsoft no longer respects this for input type="password". Hopefully no other browsers choose to remove this functionality.

Setting autocomplete="off" on the form is the only thing that worked for Chrome.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 90

I've noticed that adding it to the form element doesn't always prevent it from being applied to individual inputs within the form. Therefore it is probably best to place it on the input element directly.

Actually @sholsinger, it's best to put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

Sadly, as of IE 11, Microsoft no longer respects this for input type="password". Hopefully no other browsers choose to remove this functionality.

Setting autocomplete="off" on the form is the only thing that worked for Chrome.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 8

This is a security issue that browsers ignores now. Browsers identifies and stores content using input names, even if developpers consider the information is sensitive and should not be stored. Making an input name different between 2 requests will solve the problem (but will still be saved in browser's cache and will also increase browser's cache). Ask the user to activate or deactivate options in its browser's settings is not a good solution. The issue can be fixed in the backend.

Here's my fix. An approach that I have implemented in my framework. All autocomplete elements are generated with an hidden input like this :

<? $r = rmd5(rand().mocrotime(TRUE)); ?>
<form method="POST" action="./">
    <input type="text" name="<? echo $r; ?>" />
    <input type="hidden" name="__autocomplete_fix_<? echo $r; ?>" value="username" />
    <input type="submit" name="submit" value="submit" />
</form>

Server then process post variables like this :

foreach ($_POST as $key => $val)
{
    if(preg_match('#^__autocomplete_fix_#', $key) === 1){
        $n = substr($key, 19);
        if(isset($_POST[$n]))$_POST[$val] = $_POST[$n];
    }
}

The value can be accessed as usual

var_dump($_POST['username']);

And the browser won't be able to suggest information from previous request or from previous users.

All works like a charm, even if browsers updates, wants to ignore autocomplete or not. That has been the best way to fix the issue for me.

+1. While it looks like autocomplete="false" might solve the problem, this seems like an brilliant approach for certain situations.

Doesn't matter to much since this isn't accepted answer, but I figured I'd correct this error. I think you meant this line to be if(isset($_POST[$n])) $_POST[$val] = $_POST[$n];

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 8

This is a security issue that browsers ignores now. Browsers identifies and stores content using input names, even if developpers consider the information is sensitive and should not be stored. Making an input name different between 2 requests will solve the problem (but will still be saved in browser's cache and will also increase browser's cache). Ask the user to activate or deactivate options in its browser's settings is not a good solution. The issue can be fixed in the backend.

Here's my fix. An approach that I have implemented in my framework. All autocomplete elements are generated with an hidden input like this :

<? $r = rmd5(rand().mocrotime(TRUE)); ?>
<form method="POST" action="./">
    <input type="text" name="<? echo $r; ?>" />
    <input type="hidden" name="__autocomplete_fix_<? echo $r; ?>" value="username" />
    <input type="submit" name="submit" value="submit" />
</form>

Server then process post variables like this :

foreach ($_POST as $key => $val)
{
    if(preg_match('#^__autocomplete_fix_#', $key) === 1){
        $n = substr($key, 19);
        if(isset($_POST[$n]))$_POST[$val] = $_POST[$n];
    }
}

The value can be accessed as usual

var_dump($_POST['username']);

And the browser won't be able to suggest information from previous request or from previous users.

All works like a charm, even if browsers updates, wants to ignore autocomplete or not. That has been the best way to fix the issue for me.

+1. While it looks like autocomplete="false" might solve the problem, this seems like an brilliant approach for certain situations.

Doesn't matter to much since this isn't accepted answer, but I figured I'd correct this error. I think you meant this line to be if(isset($_POST[$n])) $_POST[$val] = $_POST[$n];

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 8

This is a security issue that browsers ignores now. Browsers identifies and stores content using input names, even if developpers consider the information is sensitive and should not be stored. Making an input name different between 2 requests will solve the problem (but will still be saved in browser's cache and will also increase browser's cache). Ask the user to activate or deactivate options in its browser's settings is not a good solution. The issue can be fixed in the backend.

Here's my fix. An approach that I have implemented in my framework. All autocomplete elements are generated with an hidden input like this :

<? $r = rmd5(rand().mocrotime(TRUE)); ?>
<form method="POST" action="./">
    <input type="text" name="<? echo $r; ?>" />
    <input type="hidden" name="__autocomplete_fix_<? echo $r; ?>" value="username" />
    <input type="submit" name="submit" value="submit" />
</form>

Server then process post variables like this :

foreach ($_POST as $key => $val)
{
    if(preg_match('#^__autocomplete_fix_#', $key) === 1){
        $n = substr($key, 19);
        if(isset($_POST[$n]))$_POST[$val] = $_POST[$n];
    }
}

The value can be accessed as usual

var_dump($_POST['username']);

And the browser won't be able to suggest information from previous request or from previous users.

All works like a charm, even if browsers updates, wants to ignore autocomplete or not. That has been the best way to fix the issue for me.

+1. While it looks like autocomplete="false" might solve the problem, this seems like an brilliant approach for certain situations.

Doesn't matter to much since this isn't accepted answer, but I figured I'd correct this error. I think you meant this line to be if(isset($_POST[$n])) $_POST[$val] = $_POST[$n];

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 32

The solution for Chrome is to add autocomplete="new-password" to the input type password.

<form name="myForm"" method="post">
<input name="user" type="text" />
<input name="pass" type="password" autocomplete="new-password" />
<input type="submit">
</form>

Chrome always autocomplete the data if it finds a box of type password, just enough to indicate for that box autocomplete = "new-password".

Note: make sure with F12 that your changes take effect, many times browsers save the page in cache, this gave me a bad impression that it did not work, but the browser did not actually bring the changes.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete
Rectangle 27 32

The solution for Chrome is to add autocomplete="new-password" to the input type password.

<form name="myForm"" method="post">
<input name="user" type="text" />
<input name="pass" type="password" autocomplete="new-password" />
<input type="submit">
</form>

Chrome always autocomplete the data if it finds a box of type password, just enough to indicate for that box autocomplete = "new-password".

Note: make sure with F12 that your changes take effect, many times browsers save the page in cache, this gave me a bad impression that it did not work, but the browser did not actually bring the changes.

html - How do you disable browser Autocomplete on web form field / inp...

html autocomplete