locked
Is there a way to tell browser don't save site authenication on local? RRS feed

  • Question

  • User1292358045 posted

    My site has a folder set with not allow anonymous request, all request need to be logon as domain user.So browser will popup a window to ask for username/password to proceed, my question is many browsers ask for it user want to save the username/password to local, Is there a way to tell browser not to do this?

    Friday, September 26, 2014 1:08 PM

All replies

  • User-734925760 posted

    Hi,

    So far as I know, if you do not want browser to save username and password, you need to set the autocomplete property to off by the code below:

    <form id="loginForm" action="login.cgi" method="post" autocomplete="off">

    There ia similar thread, please refer to the link below:

    http://stackoverflow.com/questions/32369/disable-browser-save-password-functionality

    Hope it's useful for you.

    Best Regards,

    Michelle Ge

    Sunday, September 28, 2014 3:24 AM
  • User1292358045 posted

    Sorry, I am looking disable password saving for IIS authentication check, not password in html forms.

    Monday, September 29, 2014 11:35 AM
  • User-760709272 posted

    Basic auth is part of the operating system, you can't control it from your .net code, or the html.  Browsers are even starting to ignore the autocomplete field on password form boxes.  Whether a user has their password stored is for them to decide, not your site.  Please note also that basic auth (the pop-up box) is *very* insecure as it transmits the username and password in clear text with each request, and I'd go as far as to say that it should never be used.

    Monday, September 29, 2014 11:53 AM
  • User1292358045 posted

    I am using windows authentication, not basic auth, so I think the user/password is encrypted before transfer over internet.

    I know normal .net code/html can't control this, since it is happens before requests are send to .net engine. I wonder if some settings of IIS/web.config can be set, so the IIS has protocols with browser to suggest browser don't save auth info.

    Monday, September 29, 2014 4:53 PM
  • User-760709272 posted

    Your windows auth isn't working :)  When using windows auth authentication is seamless, you don't get a pop-up.  When windows auth is configured but not available, and basic auth is configured then it will fall to basic auth which is what you're seeing with the pop-up.  If you disable basic auth you'll probably find your site doesn't work at all.

    Monday, September 29, 2014 5:51 PM
  • User1292358045 posted

    So, even the site is on https, the username/password is still transferred as clear text?

    Tuesday, September 30, 2014 11:28 AM
  • User-760709272 posted

    The password is encrypted over the wire with https, but basic auth still leaves you vulnerable in other ways

    http://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https

    Tuesday, September 30, 2014 11:49 AM
  • User71929859 posted

    I wonder if some settings of IIS/web.config can be set, so the IIS has protocols with browser to suggest browser don't save auth info.

    No, it's a browser setting which cannot be controlled from your application.

    Wednesday, October 1, 2014 1:52 AM
  • User753101303 posted

    Hi,

    AFAI no and my understanding is that this is even considered bad (ie you remove from the user something that can be actually safer if properly handled).

    Sunday, November 23, 2014 10:26 AM