Autocomplete and you

Internet Explorer and several other browsers have a “feature” that remembers passwords for you. It’s one of the first things I turn off when using a new machine or installing a new browser.

Several times I’ve dealt with bug reports that say “IE is caching the password for the site”. I’ve usually considered it a PEBKAC since the bug report is basically “IE is caching passwords when its password caching feature is turned on” or “my browser is working as designed”.

Today I decided to see if there was a server-side solution to the problem of IE working as designed. And to my slight surprise, there is. Several browsers support the autocomplete attribute on the form element, as described here:

<form name="form1" id="form1" method="post" autocomplete="off" action="http://www.example.com/form.cgi">
[...]
</form>

This wasn’t a perfect solution for me. My current project uses JSF, so instead of coding up <form> elements, I’m coding up <h:form> and letting JSF work its magic. And JSF’s form control doesn’t support the autocomplete attribute. But! JSF’s inputSecret control supports the autocomplete attribute. So now my password fields looks like this:

<h:inputSecret autocomplete="off" redisplay="false" value="#{LoginController.password}" id="password" required="true" />

This doesn’t quite work as I expected. What it does it stop the browser from storing the value of the password. So if your browser has already cached the password, it’s too late – it stays cached. But if you clear the password cache, and hit the site with your browser again, the password is not stored and will not be automatically entered for you when you return to the site.

It's only fair to share...
Share on FacebookGoogle+Tweet about this on TwitterShare on LinkedIn

Leave a Reply