Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


fix browser autofill in: readonly and set writeble on focus (click and tab)

@JimmyKane the key would be to also add the attribute using javascript in the first place (which dsuess hasn't done here, but just adding for completeness sake).

An if there is no javascript then the whole form fails. -1

I notice this strange behavior on Chrome and Safari, when there are password fields in the same form. I guess, the browser looks for a password field to insert your saved credentials. Then it autofills (just guessing due to observation) the nearest textlike-input field, that appears prior the password field in DOM. As the browser is the last instance and you can not control it,

Sometimes even autocomplete=off would not prevent to fill in credentials into wrong fields, but not user or nickname field.

Note
Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


As a user who chooses to have a browser remember (most of) my information, I'd find it annoying if your site didn't remember mine.

Ask yourself why you want to do this though - it may make sense in some situations but don't do it just for the sake of doing it.

It's less convenient for users and not even a security issue in OS X (mentioned by Soren below). If you're worried about people having their passwords stolen remotely - a keystroke logger could still do it even though your app uses autcomplete=off.

Note
Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


An interesting alternative which may help with browsers that don't support the AutoComplete attribute!

In addition to autocomplete=off, you could also have your form fields names be randomized by the code that generates the page, perhaps by adding some session-specific string to the end of the names. When the form is submitted, you can strip that part off before processing them on the server side. This would prevent the web browser from finding context for your field and also might help prevent XSRF attacks because an attacker wouldn't be able to guess the field names for a form submission.

No, this is not a better solution, because the origin of preference for this setting is user agent also known as the web browser. There is a difference between supporting certain behaviour (which HTML 5 attempts to do) and forcing it by deciding on behalf of the user, which you suggest is a "much better solution".

Regarding XSRF attacks, I'm not sure what type of attack you were picturing, but couldn't the attacker just strip off the end part the same way you do server-side to identify the fields? Or if the attacker is posting the fields, couldn't they append their own random string since it'll be stripped off by the server?

This is a much better solution compared to using autocomplete="off". All you have to do is generate a new name on every page load and save that name to a $_SESSION for future use: $_SESSION['codefield_name'] = md5(uniqid('auth', true));

This solution can work with all browsers, so in that respect it is "better". Still, amn is correct, deciding to disable autocomplete on behalf of your users is not a good idea. This means I would only disable autocomplete in very specific situations, such as when you plan to build your own autocomplete functionality and don't want conflicts or strange behavior.

Note
Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


to the form tag will disable the browser autocomplete (what was previously typed into that field) from all input fields within that particular form.

Note
Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


On a related, or actually, on the completely opposite note - if you're the user of the aforementioned form and want to re-enable the autocomplete functionality, use the 'remember password' bookmarklet from this bookmarklets page. It removes all 'autocomplete="off"' attributes from all forms on the page. Keep fighting the good fight!

Note
Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


So, we had the login page generate random field names that would only work for that post. Yes, it's less convenient, but it's just hitting the user over the head about not storing login information on public terminals.

We did actually use sasb's idea for one site. It was a medical software web app to run a doctor's office. However, many of our clients were surgeons who used lots of different workstations, including semi-public terminals. So, they wanted to make sure that a doctor who doesn't understand the implication of auto-saved passwords or isn't paying attention can't accidentally leave their login info easily accessible. Of course, this was before the idea of private browsing that is starting to be featured in IE8, FF3.1, etc. Even so, many physicians are forced to use old school browsers in hospitals with IT that won't change.

Note
Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


On a related, or actually, on the completely opposite note - if you're the user of the aforementioned form and want to re-enable the autocomplete functionality, use the 'remember password' bookmarklet from this bookmarklets page. It removes all 'autocomplete="off"' attributes from all forms on the page. Keep fighting the good fight!

Note
Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


On a related, or actually, on the completely opposite note - if you're the user of the aforementioned form and want to re-enable the autocomplete functionality, use the 'remember password' bookmarklet from this bookmarklets page. It removes all 'autocomplete="off"' attributes from all forms on the page. Keep fighting the good fight!

On a related, or actually, on the completely opposite note - if you're the user of the aforementioned form and want to re-enable the autocomplete functionality, use the 'remember password' bookmarklet from this bookmarklets page. It removes all 'autocomplete="off"' attributes from all forms on the page. Keep fighting the good fight!

Note
Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


On a related, or actually, on the completely opposite note - if you're the user of the aforementioned form and want to re-enable the autocomplete functionality, use the 'remember password' bookmarklet from this bookmarklets page. It removes all 'autocomplete="off"' attributes from all forms on the page. Keep fighting the good fight!

Note
Rectangle 27 0

html How do you disable browser Autocomplete on web form field input tag?


<input type="text" name="foo" autocomplete="off" />
<input type="text" name="foo" autocomplete="off" />
  • The password manager always prompts if it wants to save a password. Passwords are not saved without permission from the user.
  • We are the third browser to implement this change, after IE and Chrome.
  • The password manager always prompts if it wants to save a password. Passwords are not saved without permission from the user.
  • We are the third browser to implement this change, after IE and Chrome.

Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client. Note the following commentary from May 5, 2014:

According to Mozilla developer documentation the form element attribute autocomplete prevents form data from being cached in older browsers.

This did not work for me in Firefox 3.0.3 I had to put the autocomplete attribute in the FORM rather than the INPUT.

Autocomplete is only defined in the HTML 5 standards, so it will break any validations you run against HTML 4.*...

@Winston, you should put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

And remember to disable your autocomplete = on extension (if you're using Chrome) before you test your webapp. Else you'll feel real silly like me. ;)

@Winston, you should put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

According to Mozilla developer documentation the form element attribute autocomplete prevents form data from being cached in older browsers.

And remember to disable your autocomplete = on extension (if you're using Chrome) before you test your webapp. Else you'll feel real silly like me. ;)

Autocomplete is only defined in the HTML 5 standards, so it will break any validations you run against HTML 4.*...

Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client. Note the following commentary from May 5, 2014:

This did not work for me in Firefox 3.0.3 I had to put the autocomplete attribute in the FORM rather than the INPUT.

Note