[RESOLVED] Form which forces browser not save form data

2005

Is there any way how to force browsers not to save users data in forms? In IE form data saving is enabled by default, but its a big security issue. Imagine, I login to some website from some public computer. Next visitor who will open the same website will be able to login with my data because username and password are already saved in login form. I have several dating websites and from time to time users ask to make changes to my website so that their login data are not being saved. They are sure that it's website and not their browser issue. For most unexperienced computer users it's a big problem to disable form data saving even if tel how to do this.

Thank you.

bpat1434

Unfortunately no. You're talking about IE and Firefox caching the input values of similar fields. So if you're on SiteA and you input your username into a "name" text input field, then visit SiteB, if that has an identical field, you should be able to "auto-complete" your username.

Unfortunately there's no server-side way to counter-act this. They have to learn about the security features of IE / Firefox / Opera / Safari / whatever and implement them. In Firefox you would want to "Clear Private data when Firefox Closes" and then make sure that it clears submitted form data. In IE I can't even find it, but my guess is you have to clear the data in that too.

Anyway, you might try putting the header of "Cache-Control: private" and setting the expires date to the day before. That may help.

You may also want to add an onSubmit call to a JS function to put all the post info together. You could then theoretically just have input fields, and not name them. Then in JS just refer to them by their key # in the JS array:

HTML Form

<form name="loginForm" action="login.php" onSubmit="checkLogin('loginForm');" action="post">
  Username: <input type="text" /><br />
  Password: <input type="password" /><br />
  <input type="submit" value="Log In" /> &nbsp; <input type="reset" value="Clear Form" />
    <input type="hidden" name="username" value="" />
    <input type="hidden" name="password" value="" />
</form>

Javascript:

function checkForm(formName) {
    var form = document.forms.formName;
    var postInfo;
    var fields = new Array('username', 'password');

for(var i=0; i<form.length; i++) {
    if(fields[i])
        fields[i].value = form.elements[i].value;
}
return true;
}

Then your info goes into hidden fields. Not sure that will really help, but it's something. Although this mainly is a browser operator issue.

2005

Thank you for your reply.

I have another idea - forms where php generates random field names.

Instead of:

<input type="text" name="username" value="" />
<input type="password" name="password" value="" />

The form will look like this:

<input type="text" name="username-a4by45GtU76Gfs4hdhj" value="" />
<input type="password" name="password-dgs46adF43sJHgt" value="" />

The problem is that I don't kniw how to process forms if field names will be different every time. Maybe it's not possible at all.

bpat1434

Well, what you could do is use a type of salt. Make a hidden field, and populate it with todays date and time and a "salt" of your choosing, and then cut it to 32 characters.

Something like:

Functions.php

define('SALT_LENGTH', 10);
define('MyText', 'myWebsite');

function generateHash($plainText, $salt = null)
{
    if ($salt === null)
    {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }
    return $salt . sha1($salt . $plainText);
}

Your HTML form:

include('functions.php');
// ...
$security = generateHash(MyText);
echo '<input type="hidden" name="security" value="' . $security . '" />
<input type="text" name="username'.$security.'" value="" />
<input type="password" name="password'.$security.'" value="" />';
// ...

And to "decrypt" or make sure it's right:

include('functions.php');
$hash = $_POST['security'];

$username = $_POST['username'.$hash];
$password = $_POST['password'.$hash];

if(empty($username) || empty($password))
    die('Hacking Attempt');

//...

But that's a basic idea of extra encryption. You might think about using AJAX with this too. Send the username across to your encryption file which sends back a JSON or XML response with the username salted with whatever text (current time?) and you then you can use that security code to know whether it's authentic. I'm not a security expert, so take my examples with a grain of salt (no pun intended).

But like I said before, I still think it's a browser operator (i.e. the person sitting at the keyboard) error. They have to know the risks of surfing the web, and how to properly secure their browser.

2005

bpat1434, thank you very much. That's what I was looking for. Great!