html and password management
in [General]
|
Prev: fileinfo on RHEL5
Next: [php] php_network_getaddresses: getaddrinfo failed: No such host is known
From: "Michael A. Peters" on 25 May 2009 05:39 I'm working on the user registration part of my site. User registration works fine, but there's an oddity with password management. The use I registered is username: someone After logging in, I told firefox to save the username and password. I then went to the UserPrefs page to test both e-mail and password change. http://www.clfsrpm.net/someone.png FireFox for some reason auto-filled in the username in the verify e-mail field for the Update E-Mail Address form. Even though the form requires valid login to even see, for security reasons I want valid password entered. I don't mind the auto-filling in of the password by firefox, I do mind that it decided to put the login name in the field before it. Here's the html for that form: <h2>Account Settings</h2> <form id="formemail" method="post" action="UserPrefs"> <fieldset id="fieldsetemail" class="leftFloat"> <legend>Update E-Mail Address</legend> <p><strong>NOTE</strong>: Updating your e-mail address will result in a temporarily disabled account until your new e-mail address has been validated.</p> <div id="divemail" class="formFloat"> <p> <label for="email">New E-Mail</label> <br/> <input type="text" id="email" name="email" size="64"/> </p> <p> <label for="vemail">Verify New E-Mail</label> <br/> <input type="text" id="vemail" name="vemail" size="64"/> </p> </div> <div id="divemailpassword" class="formFloat"> <p> <label>Enter Current Password</label> <br/> <input type="password" id="emailpassword" name="password" size="20"/> </p> </div> </fieldset> <div id="email_submit" class="formFloat"> <input type="hidden" name="ptoken" value="*snip*"/> <input type="submit" id="imail" name="imail" value="Submit"/> </div> </form> The id for the input it is incorrectly auto-filling is vemail. Is there a way to flag firefox not to autofill the username for that form? I thought it would be smart enough not to because the field name/id is different than the login field id/name but apparantly not. Furthermore, when testing the e-mail change, FireFox asked if I wanted to save the password. I said yet to see what happens - and now it has the e-mail stored as a possible username for the site, which is blatently wrong. There must be a way to disable it. I suppose I could remove the password field from the form, and upon submit - then ask for password verification on a different form, but that seems kind of sucky.
From: "Michael A. Peters" on 25 May 2009 17:42 Michael A. Peters wrote: > I'm working on the user registration part of my site. > > User registration works fine, but there's an oddity with password > management. > > The use I registered is username: someone > > After logging in, I told firefox to save the username and password. > > I then went to the UserPrefs page to test both e-mail and password change. > > http://www.clfsrpm.net/someone.png > > FireFox for some reason auto-filled in the username in the verify e-mail > field for the Update E-Mail Address form. > > Even though the form requires valid login to even see, for security > reasons I want valid password entered. I don't mind the auto-filling in > of the password by firefox, I do mind that it decided to put the login > name in the field before it. > > Here's the html for that form: *snip* For now I'm just not requiring password for e-mail change, that page is only served with authenticated login. Not what I want, but *sigh* - it does solve the problem.
From: kranthi on 26 May 2009 05:10 seems more of a firefox question than a PHP question... just replace <form id="formemail" method="post" action="UserPrefs"> with <form id="formemail" method="post" action="UserPrefs" autocomplete="off"> https://developer.mozilla.org/en/How_to_Turn_Off_form_Autocompletion
From: "Michael A. Peters" on 26 May 2009 16:36 kranthi wrote: > seems more of a firefox question than a PHP question... > > just replace <form id="formemail" method="post" action="UserPrefs"> > with <form id="formemail" method="post" action="UserPrefs" > autocomplete="off"> > > https://developer.mozilla.org/en/How_to_Turn_Off_form_Autocompletion > Thanks! I found that for xhtml I had to use following DOCTYPE to get it to validate: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" [ <!ATTLIST form autocomplete CDATA #IMPLIED> ]> From what I gather though did not try, sent with improper text/html mime type, browsers add a bogus ]> to top of output, declaring an ATTLIST should only be done if sent as application/xhtml+xml I still have to check and see how opera reacts to that (IE gets html version of my pages so it won't get that anyway, I can't test safari) html won't validate with that attribute, but that's OK I guess. Maybe it will in html 5 (I don't know) but that's not even stable yet. I'd prefer it to be at the input level rather than form level, the problem (and I think it is a firefox bug) is that it assumes an input before a password the same form as a password is a login name. I *might* actually be able to just move the password field above the e-mail change and fix it. But the autocomplete='off' is very useful to me for another form where users add GPS coordinates, which are from within shasta county and thus all very close, unless the records are for identical coordinates they'll never be the same and if they are identical, using the autocomplete feature risks a mistake of selecting the wrong one thus resulting in bogus data.
From: Andrew Ballard on 4 Jun 2009 12:02 On Tue, May 26, 2009 at 4:36 PM, Michael A. Peters <mpeters(a)mac.com> wrote: > kranthi wrote: >> >> seems more of a firefox question than a PHP question... >> >> just replace <form id="formemail" method="post" action="UserPrefs"> >> with <form id="formemail" method="post" action="UserPrefs" >> autocomplete="off"> >> >> https://developer.mozilla.org/en/How_to_Turn_Off_form_Autocompletion >> > > Thanks! > > I found that for xhtml I had to use following DOCTYPE to get it to validate: > > <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" > "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" [ > <!ATTLIST form autocomplete CDATA #IMPLIED> > ]> > > From what I gather though did not try, sent with improper text/html mime > type, browsers add a bogus ]> to top of output, declaring an ATTLIST should > only be done if sent as application/xhtml+xml > > I still have to check and see how opera reacts to that (IE gets html version > of my pages so it won't get that anyway, I can't test safari) > > html won't validate with that attribute, but that's OK I guess. > Maybe it will in html 5 (I don't know) but that's not even stable yet. > > I'd prefer it to be at the input level rather than form level, the problem > (and I think it is a firefox bug) is that it assumes an input before a > password the same form as a password is a login name. > > I *might* actually be able to just move the password field above the e-mail > change and fix it. > > But the autocomplete='off' is very useful to me for another form where users > add GPS coordinates, which are from within shasta county and thus all very > close, unless the records are for identical coordinates they'll never be the > same and if they are identical, using the autocomplete feature risks a > mistake of selecting the wrong one thus resulting in bogus data. > I just thought I'd toss this out there. Do you know that there is an effort to remove browser support this attribute (or at least give the user a browser configuration option to ignore it)? http://article.gmane.org/gmane.org.w3c.whatwg.discuss/3054 This article discusses some of the issues involved. https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML The discussion is primarily centered around banks using it to prevent browsers from remembering your login credentials for their web sites, and the idea that the user should ultimately remain in control of the browser and that a website should not be able to assert control against the user's wishes (in this case by preventing the user from using the form manager or password manager to store the information). Andrew
|
Next
|
Last
Pages: 1 2 Prev: fileinfo on RHEL5 Next: [php] php_network_getaddresses: getaddrinfo failed: No such host is known |