PHWinfo - Afficher un message - Website Security - Preventing Users storing their login details intheir browser...

20/02/2008, 14h14

On Feb 18, 2:14pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> Danish wrote:
> > On Feb 14, 8:01 pm, WindsorFox <darkshado...@gmail.com> wrote:
> >> Danish wrote:
> >>> Hi,
> >>> I'm creating a web based database. The users of the database will
> >>> complete a login form with User Name and Password.
> >>> Many browsers offer the user the option of storing their login
> >>> details. For example: IE asks if you want to store the login details
> >>> when you click the submit button.
> >>> I need to know if there anything I can do when I create the login page
> >>> (which will be generated by a Perl program) which will either prevent
> >>> the browser from offering this option or prevent the user from
> >>> accepting it.
> >>> Any ideas welcome!
> >>> Nigel
> >> A site that did that to me I would never use again, but regardless,
> >> there are ways around it anyway.
>
> >> --
> >> "Yah know I hate it when forces gather in ma' fringe..." - Sheogorath
>
> >> "Daytime television sucked 20 years ago,
> >> and it still sucks today!" - Marc Bissonette- Hide quoted text -
>
> >> - Show quoted text -
>
> > Hi all,
>
> > Thanks for the various advice. I should have made clear that the site
> > I'm creating is for use only by a company's employees (so they don't
> > have the choice about whether to use it or not), that they may be
> > accessing the data from 'public' computers and that the data stored is
> > of a sensitive nature so security is of high importance.
>
> > I take the point about autocomplete making it easier for visitors to
> > use complex passwords. I already have in mind to expire passwords
> > after a set period and to enforce a mix of alphabetic and numeric
> > characters and a minimum length.
>
> > Thanks again,
>
> > Nigel
>
> But that won't stop browsers from storing passwords on those public
> computers. All it will do is keep the user from reusing the passwords.
> The password can still be on the computer - and readable by an
> administrator.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================- Hide quoted text -
>
> - Show quoted text -

Hi Jerry,

You've got me worried now! Do you know how banks and such like get
around this security loop-hole?

I'm also wondering how the browser decides if the fields entered
represent a Login and Password pair.

I'm thinking of using the approach of randomising the two field names
as suggested by Tony, but would the issue you've referred to still
apply?

Nigel

20/02/2008, 14h14	#12
Danish Messages: n/a Hébergeur:	Re: Website Security - Preventing Users storing their login detailsin their browser... On Feb 18, 2:14pm, Jerry Stuckle <jstuck...@attglobal.net> wrote: > Danish wrote: > > On Feb 14, 8:01 pm, WindsorFox <darkshado...@gmail.com> wrote: > >> Danish wrote: > >>> Hi, > >>> I'm creating a web based database. The users of the database will > >>> complete a login form with User Name and Password. > >>> Many browsers offer the user the option of storing their login > >>> details. For example: IE asks if you want to store the login details > >>> when you click the submit button. > >>> I need to know if there anything I can do when I create the login page > >>> (which will be generated by a Perl program) which will either prevent > >>> the browser from offering this option or prevent the user from > >>> accepting it. > >>> Any ideas welcome! > >>> Nigel > >> A site that did that to me I would never use again, but regardless, > >> there are ways around it anyway. > > >> -- > >> "Yah know I hate it when forces gather in ma' fringe..." - Sheogorath > > >> "Daytime television sucked 20 years ago, > >> and it still sucks today!" - Marc Bissonette- Hide quoted text - > > >> - Show quoted text - > > > Hi all, > > > Thanks for the various advice. I should have made clear that the site > > I'm creating is for use only by a company's employees (so they don't > > have the choice about whether to use it or not), that they may be > > accessing the data from 'public' computers and that the data stored is > > of a sensitive nature so security is of high importance. > > > I take the point about autocomplete making it easier for visitors to > > use complex passwords. I already have in mind to expire passwords > > after a set period and to enforce a mix of alphabetic and numeric > > characters and a minimum length. > > > Thanks again, > > > Nigel > > But that won't stop browsers from storing passwords on those public > computers. All it will do is keep the user from reusing the passwords. > The password can still be on the computer - and readable by an > administrator. > > -- > ================== > Remove the "x" from my email address > Jerry Stuckle > JDS Computer Training Corp. > jstuck...@attglobal.net > ==================- Hide quoted text - > > - Show quoted text - Hi Jerry, You've got me worried now! Do you know how banks and such like get around this security loop-hole? I'm also wondering how the browser decides if the fields entered represent a Login and Password pair. I'm thinking of using the approach of randomising the two field names as suggested by Tony, but would the issue you've referred to still apply? Nigel