5

I want to prevent browsers from storing and showing input values. This is how I do this:

<form autocomplete="off">
<input type="text" autocomplete="off" name="login" />
<input type="password" autocomplete="off" name="pswd" />
...
</form>

But for some insane reasons browsers keep storing and showing values, even if I completely clear browser history. So, I wonder why autocomplete="off" is not working. Probably, there is another, more proper way to do this. PS. I'm not sure whether it is important or not, but I'm using jquery to build my form.

EDIT

And by the way, contrary to official W3C documentation, in HTML5 autocomplete="off" is not respected (at least in FF).

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Jacobian
  • 10,122
  • 29
  • 128
  • 221
  • Even `value=""` does not help. – Jacobian Oct 06 '15 at 07:57
  • 2
    Isn't a duplicate of this? http://stackoverflow.com/questions/2530/how-do-you-disable-browser-autocomplete-on-web-form-field-input-tag – Dmytro Pastovenskyi Oct 06 '15 at 08:00
  • which browser version are you using? – Deepak Biswal Oct 06 '15 at 08:01
  • @ Deepak Biswal. FF 40.0.3. Ubuntu OS. – Jacobian Oct 06 '15 at 08:02
  • @ Dmytro Pastovenskyi. It seems like all threads prior to 2011 are outdated. There should be some other technique in modern browsers to implement the desired behaviour – Jacobian Oct 06 '15 at 08:08
  • Have you tried in privacy mode? Submit a form, access the page again (without exiting the window) and check if the browser has remembered the values. – Burgi Oct 06 '15 at 08:08
  • @ Burgi . When I go to a privacy mode, I see that by default inputs are empty (different to what I see in a normal mode). However, when I start typing something, I see a drop-down list with previous logins – Jacobian Oct 06 '15 at 08:15
  • @Burgi. However there is one difference, is that if I type a new login and new password, it will not be stored. But I wish I could do this programmatically, without forcing users to use privacy mode every time when they login to the application. – Jacobian Oct 06 '15 at 08:22
  • @Jacobian my thought is that your dev machine might have remembered the entries from the fields _before_ you added the autocomplete attribute – Burgi Oct 06 '15 at 08:44

7 Answers7

7

From https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields:

[...] many modern browsers do not support autocomplete="off" for login fields.

  • if a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page.
  • if a site sets autocomplete="off" for username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page.

While the reasoning behind this is debatable, it's intended behavior.

Community
  • 1
  • 1
Goujon
  • 187
  • 5
  • It seems like the most relevant answer. But is there any alternative to no longer working autocomplete="off"? – Jacobian Oct 06 '15 at 08:23
  • I personally haven't tried circumventing that behavior, so I can only speculate. What might work is _not_ having the username, password and submit button inside a form and (on button click / enter) using javascript to copy the username and password to a hidden form, then submitting programmatically. Altough I generally think circumventing intended behavior is a bad idea and will cause problems down the line, like users complaining that their form somehow doesn't behave the way they're used to. – Goujon Oct 06 '15 at 08:58
3

Modern browsers with a builtin password manager ignore autocomplete="off" in login forms (usually specifically forms with a <input type="password">). When the enduser logs in for the first time via such a form, the browser will ask the enduser whether to remember the login for this site or not. If the enduser chooses No, then default behavior will continue (so autocomplete attribute will be respected, regardless of its value). However, if enduser chooses Yes, then default behavior will be overriden and it will behave as if autocomplete is always turned on. This is a browser configuration setting which is by default on. This is also mentioned in MDN.

You can work around this by simply using Ajax to submit the form. In other words, instead of using a "plain vanilla" synchronous HTML POST form, make use of XMLHttpRequest (if necessary indirectly via e.g. jQuery or equivalent). The current browsers don't recognize a login via Ajax and therefore won't ask the enduser to remember the login.

In case your web framework doesn't offer builtin Ajax facilities, then consider throwing in jQuery. It's then a matter of below lines to unobtrusively enhance an existing form. The below basic kickoff example assumes that you've reworked the server side to return plain text true or false as response, depending on whether the login was successful or not. You could if necessary conditionally respond depending on the value of X-Requested-With header:

$(document).on("submit", "#loginFormId", function() {
    var $form = $(this);

    $.post($form.attr("action"), $form.serialize(), function(response) {
        if (response) {
            window.location = "home.html"; // Redirect to homepage.
        } else {
            $("#errorMessageId").text("Unknown login, please retry");
            $form[0].reset();
        }
    });
});
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
2

autocomplete="off" and autocomplete="false" seems to not work both for chrome and firefox, you could write anything apart from these two like autocomplete="none" this will work. Go through below links: Chrome automcomplete disabling-chrome-autofill

MADHUR GUPTA
  • 1,014
  • 10
  • 14
1

Are you using Chrome? Maybe this bug is relevant, particularly this comment.

The comment states

autocomplete="off" is NOT respected for Autofill data, whether saving or filling. You can see your Autofill data in chrome://settings/autofill. It includes addresses and credit cards.

autocomplete="off" still IS respected for Autocomplete data, both saving and filling. I know the terminology is confusing. Autocomplete data simply tries to match the name attributes. So if you have entered "user@example.com" into an input with name="email" in the past, and Chrome sees another name="email" input, Chrome will offer to complete that data. However, autocomplete="off" will stop this from happening.

caniuse.com is a good resource as well for checking which browsers support a given feature.

user5325596
  • 2,310
  • 4
  • 25
  • 42
0

I think you should be removing the "" on autocomplete and on name because they're properties not values.

<form autocomplete="off">
 <input type="text" name="login" />
 <input type="password" name="pswd" />
</form>
Sam Teng Wong
  • 2,379
  • 5
  • 34
  • 56
0

Workaround to prevent browsers to fill in the password but using "password" type...

Try with: <input type='text' ... onfocus=' this.type="password" ' autocomplete='off'/>

Ivan Aracki
  • 4,861
  • 11
  • 59
  • 73
kwnet.at
  • 9
  • 2
0

A bit late to the party, but if autocomplete="off" isn't being respected by the browser, wich is the case by many modern browsers, i always use autocomplete="new-password". Be sure to add this as the first property of the input element.

Read all about it on this MDN Web Doc

Daniel van der Wal
  • 9
  • 2