Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64969

Re-add loginpasswordautocomplete option

XMLWordPrintable

    • Icon: New Feature New Feature
    • Resolution: Won't Fix
    • Icon: Minor Minor
    • None
    • 3.3 regressions, 3.5.11, 3.6.9, 3.7.5, 3.8.2, 3.9
    • Authentication
    • MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
    • MDL-64969-master
    • Hide

      The following testing instructions assume that your Moodle site is configured to use the core Boost theme. Though this should be inherited by most themes, some 3rd party themes may override the core loginform.mustache template.

       Test

      1. Log as a Moodle Administrator.
      2. Navigate to Site Administration > Security > Site Security Settings
      3. Change the Remember username field to No.
      4. Save changes.
      5. Go to Site home and turn editing on.
      6. Add the Login block using the 'Add a block' button.
      7. Log out.
      8. Once logged out, you should see the homepage and the Login block.
      9. Inspect the user name field in the Login block.
        1. confirm that autocomplete is now set to "off".
      10. Inspect the password field in the Login block.
        1. confirm that autocomplete is now set to "off".
      11. Go to the login page by clicking on the 'Log in' link in the top navigation bar.
      12. Inspect the user name field.
        1. confirm that autocomplete is now set to "off".
      13. Inspect the password field.
        1. confirm that autocomplete is now set to "off".

      If you were able to successfully complete the above instructions and saw that autocompelte="off", the test has been successful.

      Show
      The following testing instructions assume that your Moodle site is configured to use the core Boost theme. Though this should be inherited by most themes, some 3rd party themes may override the core loginform.mustache template.  Test Log as a Moodle Administrator. Navigate to Site Administration > Security > Site Security Settings Change the  Remember username field to  No . Save changes. Go to Site home and turn editing on. Add the Login block using the 'Add a block' button. Log out. Once logged out, you should see the homepage and the Login block. Inspect the user name field in the Login block. confirm that autocomplete is now set to "off". Inspect the password field in the Login block. confirm that autocomplete is now set to "off". Go to the login page by clicking on the 'Log in' link in the top navigation bar. Inspect the user name field. confirm that autocomplete is now set to "off". Inspect the password field. confirm that autocomplete is now set to "off". If you were able to successfully complete the above instructions and saw that autocompelte="off", the test has been successful.
    • 3
    • 4.0 holding pattern 9

      Hello, I was told to open a ticket related to this issue

      Previously in https://tracker.moodle.org/browse/MDL-55476 the option for "loginpasswordautocomplete" was removed. It was removed because, realistically to the general public, its not honored by browsers.

      However, I believe this logic is unsound, or at the very least not enough to justify removal of this feature. Whether or not a flag is honored by a client browser is fully a client issue.

      Burp Security Suite identifies forms with passwords and autocomplete enabled as a warning. These are all shown as "Password field does not have "autocomplete=off"" warnings.

      These warnings turn into security issues on our monthly review. Previously we could just enable this setting, and the problem would be solved. 

      There are configurations of browsers within secured federal government environments that DO respect these settings. This might not be super useful to all users, but there are edge cases where this is an important feature (of which I am one I guess). 

      Perhaps add a warning that "This is not respected by most browsers" or something to that effect? 

      But I would like to revert this change, and reinclude the feature.

      Thank you. 

            michael-milette Michael Milette
            stormthegates Wolf Ventir
            Mihail Geshoski Mihail Geshoski
            Andrew Lyons Andrew Lyons
            Votes:
            1 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours, 30 minutes
                4h 30m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.