Control Autocompletion of user names and passwords on registration with anonymous users

0
Hi All,   When creating an anonymous user registration form (say Register_Web) which uses a new Registration NPE in a dataview, I get prefilled values for username and password (they're text fields, password one set to show as password) when I go to this page from say a Login_Web page, where Chrome autofilled a username and password. I checked the NanoFlow which makes the NPE, it is indeed empty before it is passed into the dataview on the Register_Web form, but then, when it is displayed, Chrome did its thing, and put the values for user name and password that it had from the Login_Web form, and the fields are not empty. I want to either stop this from happening (the auto completion), or I want a method to clear out the values for the user name and password field after the page is loaded and Chrome did it's nefarious autofil. I've seen many entries on autocomplete=off, or autocomplete=new-password ( I also would want something like that for the user name please). They don't work.  I put a HTMLElement around the password field and then created an attribute autocomplete with text expression new-password, false, off (in three different tires) and it never worked to prevent the auto complete, or to ensure the NPE password field value remained empty, as it was when the NPE was passed in. Does anyone one have some ideas on how to stop this, and if you do, could you provide some clear examples on how, and not some  generic"you could do this...." statements? Can this be solved without things like jquery, javascript etc.?
asked
1 answers
0

I'm facing the same issue.

 

Apparently it's not that easy as modern browsers ignore the autocomplete="off" feature.

The only way is to not use the password manager for the browser but this relies to trust on the client. For our case we are checking with IT if this browser setting can be managed by the organization.

 

From the mozilla docs:

 

Managing autofill for login fields

Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.

Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

For this reason, many modern browsers do not support autocomplete="off" for login fields:

  • If a site sets autocomplete="off" on a <form> element and the form includes username and password input fields, the browser will still offer to remember this login. If the user agrees, the browser will autofill those fields the next time the user visits the page.
  • If a site sets autocomplete="off" for username and password <input> fields, the browser will still offer to remember this login. If the user agrees, the browser will autofill those fields the next time the user visits the page.

If you are defining a user management page where a user can specify a new password for another person, and therefore, you want to prevent autofilling of password fields, you can use autocomplete="new-password".

 

 

answered