3

This has been bothering me for a few weeks now.

I have a login form that used to require username + password:

<form role="form" method="post" action="/login" class="form-signin">
    <div class="form-group">
        <label for="username">Username</label>
        <input id="username" name="username" type="text" placeholder="ex: AD\jdoe" required="required" autofocus="autofocus" class="form-control"/>
    </div>
    <div class="form-group">
        <label for="password">Password</label>
        <input id="password" name="password" type="password" required="required" class="form-control"/>
    </div>
</form>

I changed it to use the user's email instead due to reasons:

<form id="form" role="form" method="post" action="/login" class="form-signin">
    <div class="form-group">
        <label for="email">Email</label>
        <input id="email" name="email" type="email" placeholder="ex: name@website.com" required="required" autofocus="autofocus" autocomplete="email" class="form-control required"/>
    </div>
    <div class="form-group">
        <label for="password">Password</label>
        <input id="password" name="password" type="password" required="required" class="form-control"/>
    </div>
</form>

Much to my surprise, Chrome was still auto-filling out the email field with the previously saved credentials. I tried a variety of permutations on the email field's attributes to no avail (also tried renaming the password field as well just in case, and that too still gets auto-filled). Firefox has the same behavior as well.

I also tried renaming the form itself, and adding a second form just to test wherein the browser filled in both sets of inputs.

Finally, exasperated, I came up with this workaround:

<form id="form" role="form" method="post" action="/login" class="form-signin">
    <div class="form-group">
        <label for="email">Email</label>
        <input id="email" name="email" type="email" placeholder="ex: name@website.com" required="required" autofocus="autofocus" autocomplete="email" class="form-control required"/>
        <!-- Workaround for inability to clear the autocomplete functionality of a previously named field-->
        <input id="username" type="text" name="username" class="hidden"/>
    </div>
    <div class="form-group">
        <label for="password">Password</label>
        <input id="password" name="password" type="password" required="required" class="form-control"/>
    </div>
</form>

The downside is that it won't save the user's email if they have previously saved credentials, and it continues to auto-fill the password (and the username too).

Of course, I can add some error to trigger to validate the field is an email and whatnot, but I'm more curious as to why this behavior is happening. It seems that short of removing the saved credentials in my own browser, I have no way to reset the auto-complete data for my users to prevent it from erroneously filling in the username into the email field.

What's kind of funny as well, since I set the new input to be of type email, it triggers the validation of the field and throws the browser's validation error saying the username is not a valid email (as expected).

Enzo
  • 150
  • 8

2 Answers2

1

I referenced this Stack Overflow question, which says:

It does not care what the field is called - just assumes the field before password is going to be your username.

This was what I was guessing to be the problem. Because your field is named password, it assumes that whatever comes before it is also related to login credentials (which is 100% time how it goes).

If you never want autocomplete on your login, that's the easier solution: simply disable autocomplete on the fields by using autocomplete="off" as an attribute on the fields. However, if you want to have the fields use autocomplete, just not the old data, that will prove to be a bit more difficult, and I don't know the full solution to this. The above article only makes mention of fully disabling autocomplete.

What might fix this (allowing autocomplete but not the old data) would be to use different input field names. Granted, I haven't tested this, but if you call your password field password2 and your username field username2 or something similar, and do not have a password input field, Chrome might detect it as being a different set of fields, and make its own, new association. Again though, I can't promise that this will work for you.

Community
  • 1
  • 1
Alec Deitloff
  • 457
  • 4
  • 12
  • Going off that logic though, I just tried hiding the existing password field and creating a new password field and calling it `password2`, and it doesn't fill it out anymore. Submitting the form however does not trigger the autocomplete save/update dialogue for a browser that already has it saved. And yes, I do want autocomplete to be available – Enzo Jan 16 '15 at 16:45
  • I'm fishing at straws here, because I've never done this and I can't find any mention of it online, but perhaps you might be able to user javascript here to help. Before your form is submitted, you could remove the hidden password field so that it only submits the one password field, and Chrome might detect that as a suitable change and prompt to update the saved password. However, even if that works, you're still stuck with your previous code which prevents autocomplete from displaying. You might ultimately be forced to just suggest your clients manually do it via Settings -> Manage passwords – Alec Deitloff Jan 16 '15 at 16:57
  • Ooh dastardly. I like this idea (though it's quite a hack). Trying now. – Enzo Jan 16 '15 at 17:02
  • Newp. Think I might just say screw it and let users deal with the invalid email error (internal application). – Enzo Jan 16 '15 at 17:18
  • There are keyboard commands to do this for a website without needing to go through the settings menu. You might want to look into that and then suggest that to the users; it's always simpler that way. – Alec Deitloff Jan 16 '15 at 17:19
  • Nah, tested it with just letting the form throw the invalid email error, when you type in email + password you then get the Chrome prompt to update/save the credentials as you'd expect – Enzo Jan 16 '15 at 17:22
  • If you can be a bit more specific with what you mean by throwing an invalid email error, I can edit my answer, or you can post one of your own. – Alec Deitloff Jan 16 '15 at 17:26
  • Well, the new email field I added has a `type="email"` which when you try to submit it causes the (modern) browser to throw a validation error for credentials saved post-email field telling you it's not a valid email. At which point you, the user, will type in the right email and then hit Submit again. Your browser will then accept that and throw up the credential save prompt. I'd have preferred being able to reset the credentials, but this works too I guess. Since it's internal I don't have to worry about non-Chrome/Firefox browsers as well – Enzo Jan 16 '15 at 17:31
1

Not really a "fix" per se since it doesn't really handle it transparently as I was hoping, but, I opted to simply remove the workaround field and let my users deal with having their browser through a validation error when submitting the form.

Since the new field has type="email", when they try to submit the form it will validate the previously saved username as an invalid email and tell the user of such. The user will then change it to their email and hit submit again, at which point the browser will prompt them with the save login credentials message and all will be happy hence forth.

Not as clean as I'd have liked it, but it works and it'll be a one-time thing for users who had previously saved their username.

Enzo
  • 150
  • 8
  • I have the same problem 3 years later. Mayme you have some fix for it now? I have all 3 fields: email, name and password and Chrome ignores email field completely, autofilling name field with email and password with password. This is so strange behavior... – Telion Apr 21 '18 at 18:36
  • I gave up trying to fix it as it wasn't worth the time to continue investigating, and rather opted to display an error that the field is incorrectly filled in instead. I haven't circled back to it, but I'd suggest doing that as well. – Enzo May 01 '18 at 21:47