Environment
Self Service Password Reset
SSPR 3.3.1
Browser set to save user names and passwords
SSPR 3.3.1
Browser set to save user names and passwords
Situation
Is it possible to exclude SSPR pages from "autocomplete?"
Can SSPR block the browser from inserting credentials stored by the browser?
"autocomplete = off" does not show on the SSPR source page
Selecting "view source" on the .../sspr/private/login page does not show "autocomplete" to be present on the page.
Can SSPR block the browser from inserting credentials stored by the browser?
"autocomplete = off" does not show on the SSPR source page
Selecting "view source" on the .../sspr/private/login page does not show "autocomplete" to be present on the page.
Resolution
SSPR does set "Autocomplete" to off.
SSPR sets "autocomplete = off" via javascript, not with the SSPR source.
"View source" will not show "autocomplete = off," but "Inspect" or "Inspect Element" will show that it really is set to off.
Using either Chrome or FireFox, go to the SSPR login page, right click in either the name or password field and select "Inspect" in Chrome or "Inspect Element" in Firefox.
Look for "autocomplete = off" in the form tag, as shown below:
However, most current browsers ignore the autocomplete=off setting, and will populate credentials on the SSPR page regardless of its value.
SSPR sets "autocomplete = off" via javascript, not with the SSPR source.
"View source" will not show "autocomplete = off," but "Inspect" or "Inspect Element" will show that it really is set to off.
Using either Chrome or FireFox, go to the SSPR login page, right click in either the name or password field and select "Inspect" in Chrome or "Inspect Element" in Firefox.
Look for "autocomplete = off" in the form tag, as shown below:
However, most current browsers ignore the autocomplete=off setting, and will populate credentials on the SSPR page regardless of its value.
Additional Information
Traditionally web applications have set "autocomplete = off" to prevent a browser from auto-populating usernames and passwords saved in the browser's credential store. With most current browsers, however, setting "autocomplete = off" does not prevent the browser from inserting stored credentials.
Developers of web applications and browsers have fought over who controls the insertion of stored credentials on a given web page. Browser developers want the user to have control, many web page developers feel that their particular page should be excluded from auto populating. In contests between the browser and the web app, the browser usually wins. Many modern browsers do not support autocomplete="off" for login fields, and will populate a site with credentials stored by the user regardless of the autocomplete setting.
For example, FireFox was enhanced to "ignore autocomplete="off" when offering to save passwords via the password manager, as documented here: https://bugzilla.mozilla.org/show_bug.cgi?id=956906
(See the summary in comment 100.)
Also, note that "Inspect" in Chrome or "Inspect Element" in FireFox shows the current state of the web page. "View source" shows how the page originally loaded and may not correctly reflect the current condition.
Developers of web applications and browsers have fought over who controls the insertion of stored credentials on a given web page. Browser developers want the user to have control, many web page developers feel that their particular page should be excluded from auto populating. In contests between the browser and the web app, the browser usually wins. Many modern browsers do not support autocomplete="off" for login fields, and will populate a site with credentials stored by the user regardless of the autocomplete setting.
For example, FireFox was enhanced to "ignore autocomplete="off" when offering to save passwords via the password manager, as documented here: https://bugzilla.mozilla.org/show_bug.cgi?id=956906
(See the summary in comment 100.)
Also, note that "Inspect" in Chrome or "Inspect Element" in FireFox shows the current state of the web page. "View source" shows how the page originally loaded and may not correctly reflect the current condition.