Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I got a problem, that came up with the new Firefox 3.
I got several projects, wehre people can login with an id or a nickname. They cannot change the id but I do allow to change a nickname that might be easier for them to remember. This function requires the password of the user to change the nickname to avoid collegues that use a break of the user to change stuff on their computer. It worked like a charm until Firefox 3 an its agressive password fill in function.
Now no matter what I do it fills in the password if I choose the correct current nickname. Even if I rename the fields it seems it just takes the next password field and puts the correct password in. Even if I prefill the pw field it is overwritten by the autofill in
This of course defeats the purpuse completely. Any ideas or solutions out there to block that function?
You can delete the saved passwords, from what you describe this would seem to be the only way. Also it's a bad idea to have Firefox remember any passwords.
make sure you don't name the input fields with standard names like 'email' ,'username' and 'password' - firefox will immediately pick that up. If its a unique name, firefox asks the users whether to save the password or not - if they click 'yes', there is nothing you can do about it.
I have given the fields unique names to prevent bots form just easily fill in fields. My problem is now, that the password was saved in the initial sign up process but gets filled in at a totally different point of the site into fields that even have different names as well.
I know it is a client problem but it also seems to me as a firefox bug to fill in passwords at differnt places throughout the site. I hoped that there would be a trick to prevent it but I guess I have to live with it. It even saves the password now when I md5 it with javascript
I had the same problem, and I found a hack for this: put into your html page the very before your password field an another password field with display: none option, like this:
<input type="password" style="display: none" />
<input... --your password field goes here -- .../>