K
Kenn White
Greetings.
Just spent a non-trivial amount of time figuring this out, and thought
it might be useful for others. (Working example at bottom of post)
Issue: For a login screen on a secure intranet site, I would *really*
like to have browsers not "remember" the username and password via
autocomplete. I have no control over the individual desktops, so that
rules out tying down the defaults in the browser prefs, or using some
group policy. It's not a public site, so I have some latitude to be a
little heavy handed, particularly given that many workstations are
effectively "common" machines, in which it would be a very Bad Idea for
Bob's login/password to be "remembered" when Jane accesses the same
login bookmark.
The traditional answer is either <form ... autocomplete='off'> which
historically has been an IE-only proprietary option (in recent years,
Mozilla's gecko engine has started recognizing it too), or use a series
of HTTP directives (private, no-cache, etc.) see:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&th=7a2b3772552c22e2&rnum=1
Problem: The XHTML Strict doctype recognizes no "autocomplete"
attribute, and thus any page that uses it will fail validation. I don't
really want to push a completely alternative DTD just for this one
issue, but making the problem go away for the 99% of browsers that my
user community will likely use *would be* highly desirable.
Solution: Here is my solution/hack (depending on your perspective):
Following body.onload, call the setAttribute method of the form (or
alternatively, any individual input box) to disable autocomplete.
Works in IE and Mozilla AND passes XHTML strict validation. Note that
Mozilla seems to ignore it (i.e., offers to save passwords) once the
first form element has had focus set. Thus, it's the last thing I do.
Also, in my example below, the more straight-forward approach of
f.autocomplete="off" only works in IE. Strange, because the Mozilla
Javascript console shows no error, and the DOM inspector even looks
identical to hard-coding the autocomplete="off" in the form tag.
Lastly, FWIW this doesn't work in Opera 7.22 -- the wand "feature"
cheerfully offers to remember your login.
-kenn
_________________________________
....
<script type="text/javascript">
function init() {
if (!document.getElementById) return false;
var f = document.getElementById('login');
var u = f.elements[0];
f.setAttribute("autocomplete", "off");
u.focus();
}
</script>
....
<body onload='init()'>
<form id='login' action='foo' method='post'>
<p id='l'>
<input type='text' name='u' value='' /> Username
<input type='password' name='p' value='' /> Password
<input type='submit' value='Login' />
</p>
</form>
....
Just spent a non-trivial amount of time figuring this out, and thought
it might be useful for others. (Working example at bottom of post)
Issue: For a login screen on a secure intranet site, I would *really*
like to have browsers not "remember" the username and password via
autocomplete. I have no control over the individual desktops, so that
rules out tying down the defaults in the browser prefs, or using some
group policy. It's not a public site, so I have some latitude to be a
little heavy handed, particularly given that many workstations are
effectively "common" machines, in which it would be a very Bad Idea for
Bob's login/password to be "remembered" when Jane accesses the same
login bookmark.
The traditional answer is either <form ... autocomplete='off'> which
historically has been an IE-only proprietary option (in recent years,
Mozilla's gecko engine has started recognizing it too), or use a series
of HTTP directives (private, no-cache, etc.) see:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&th=7a2b3772552c22e2&rnum=1
Problem: The XHTML Strict doctype recognizes no "autocomplete"
attribute, and thus any page that uses it will fail validation. I don't
really want to push a completely alternative DTD just for this one
issue, but making the problem go away for the 99% of browsers that my
user community will likely use *would be* highly desirable.
Solution: Here is my solution/hack (depending on your perspective):
Following body.onload, call the setAttribute method of the form (or
alternatively, any individual input box) to disable autocomplete.
Works in IE and Mozilla AND passes XHTML strict validation. Note that
Mozilla seems to ignore it (i.e., offers to save passwords) once the
first form element has had focus set. Thus, it's the last thing I do.
Also, in my example below, the more straight-forward approach of
f.autocomplete="off" only works in IE. Strange, because the Mozilla
Javascript console shows no error, and the DOM inspector even looks
identical to hard-coding the autocomplete="off" in the form tag.
Lastly, FWIW this doesn't work in Opera 7.22 -- the wand "feature"
cheerfully offers to remember your login.
-kenn
_________________________________
....
<script type="text/javascript">
function init() {
if (!document.getElementById) return false;
var f = document.getElementById('login');
var u = f.elements[0];
f.setAttribute("autocomplete", "off");
u.focus();
}
</script>
....
<body onload='init()'>
<form id='login' action='foo' method='post'>
<p id='l'>
<input type='text' name='u' value='' /> Username
<input type='password' name='p' value='' /> Password
<input type='submit' value='Login' />
</p>
</form>
....
