9

When typing in HTML forms, browsers like Firefox or Internet Explorer store the values, sometimes quietly. So when typing in another webforms, the browser smartly suggest the same information. Another method to show the dropdown list is double-clicking an empty textbox.

On an E-commerce website, the customer types the credit card number, and another sensitive information. How I do to avoid or block the browser to store that sensitive information?

Another worry is about tampered form data stored (by malware, by example). Then the customer can select this contaminated data and compromise the site.

Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
Click Ok
  • 8,402
  • 16
  • 66
  • 98
  • Re: "How I do to avoid or block the browser to store that sensitive information?" Don't. It's none of your business. – nobody Jan 23 '09 at 03:59
  • 1
    possible duplicate of [How do you disable browser Autocomplete on web form field / input tag?](http://stackoverflow.com/questions/2530/how-do-you-disable-browser-autocomplete-on-web-form-field-input-tag) – Brendan Long Mar 22 '12 at 20:42

6 Answers6

9

Try with the atribute autocomplete="off"

It should work for single input elements:

<input type="text" autocomplete="off" name="text1" />

or to the entire form:

<form name="form1" id="form1" method="post" autocomplete="off"
  action="http://www.example.com/action">
[...]
</form>

And specifically for ASP .NET you can set it like this:

The WebForms form:

<form id="Form1" method="post" runat="server" autocomplete="off">

Textboxes:

<asp:TextBox Runat="server" ID="Textbox1" autocomplete="off"></asp:TextBox>

or at runtime:

Textbox1.Attributes.Add("autocomplete", "off");
Christian C. Salvadó
  • 723,813
  • 173
  • 899
  • 828
7

See a longer discussion here:

How do you disable browser Autocomplete on web form field / input tag?

It looks like autocomplete="off" will work in some cases but it is not XHTML compliant.

Community
  • 1
  • 1
BobbyShaftoe
  • 27,660
  • 5
  • 50
  • 71
3

It is good to use the autocomplete="off" for public computers when you store data like usernames, credit card numbers and such.

So if you build a intranet system it would be OK to do it.

2

As others have said, the answer is autocomple="off"

However I think it's worth stating why it's a good idea to use this in certain cases as some answers to this and duplicate questions have suggested it's better not to turn if off.

Stopping browsers storing credit card numbers shouldn't be left to users. Too many users won't even realise it's a problem.

It's particularly important to turn it off on fields for credit card security codes. As this page states

"Never store the security code ... its value depends on the presumption that the only way to supply it is to read it from the physical credit card, proving that the person supplying it actually holds the card."

The problem is, if it's a public computer (cyber cafe, library etc) it's then easy for other users to steal your card details, and even on your own machine a malicious website could steal autocomplete data.

Community
  • 1
  • 1
Sam Hasler
  • 13,310
  • 9
  • 68
  • 101
  • 1
    lol I love that quote - like i can't remember a 3 digit number! but no don't store it! in fact its illegal from PCI standpoint. – Simon_Weaver Sep 28 '11 at 02:03
0

You can put on the input fields:

autocomplete="off"

as an attribute.

That being said: DON'T DO IT.

From a usability standpoint it is a terrible idea. Particularly if there's field validation. There's nothing more annoying than having to retype parts of a form because you have to correct a completely unrelated form. Most users like the fact that they don't have to retype in credit card numbers, their name, email addresses, etc.

You will annoy far more users than you help by turning off such features.

Ultimately, security is the user's problem and their perogative. The vast majority of people use personal or work PCs so are fine with caching such information. Properly configured public terminals will clear form data when the user logs off.

So who exactly are you helping?

cletus
  • 578,732
  • 155
  • 890
  • 933
  • This shouldn't be downvoted. However, as for the bit about "security is the user's perogative," I think that's not necessarily the right attitude. You may be building a business application where one of the requirements is to not allow these autocomplete fields. But you may have a point sometimes. – BobbyShaftoe Jan 23 '09 at 06:26
  • 2
    Saying security is the user's problem is taking it too far, but +1 for the general gist. I hate forms that disable the autocomplete and/or use non-standard (read "stupid") field names (like "EmailAddy"). – Lawrence Dol Jan 23 '09 at 06:45
  • 2
    Stopping browsers storing credit card numbers shouldn't be left to users. Too many users won't even realise it's a problem. – Sam Hasler Jan 23 '09 at 20:17
  • It's particularly important for a card security code. As this page http://is.gd/gZVD says "Never store the security code ... its value depends on the presumption that the only way to supply it is to read it from the physical credit card, proving that the person supplying it actually holds the card." – Sam Hasler Jan 23 '09 at 20:26
  • The problem is, if it's a public computer (cyber cafe, library etc) it's then easy for other users to steal your card details, and even on your own machine a malicious website could steal autocomplete data. See http://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.html – Sam Hasler Jan 23 '09 at 20:36
  • 2
    Disagree here with cletus - it is the responsibility of the developer to comply with the credit card industry's rules. I think annoying the users is acceptable WRT card numbers + security codes, because it helps with your PCI compliance. Often users are the weakest link in the security chain! – Travis Leleu Mar 16 '09 at 17:45
  • If you're using any public computer, you really have to assume that the computer has both hardware and software key loggers installed. You should never ever enter any sensitive information on such a computer. Even one-time passwords are a poor idea for such a computer because the whole system could be remote controlled. – Mikko Rantalainen Feb 19 '16 at 07:18
  • "From a usability standpoint it is a terrible idea." doesn't make sense. What about fields for let's say.. authentication 2fa codes? Those will always change so it'll be a great idea to put off autocomplete. Something that many developers don't in this situation. So it could be a great idea depending on when you use it. – JeroenE Oct 03 '18 at 13:15
0
<input autocomplete="new-password">

This works where "off" does not.

Amazing B
  • 31
  • 2