Forum Moderators: coopster
I want to do it this way so I can disable autocomplete at the login page.
code I have is as follows:
HTML FORM
-----------------------------------------------
<body>
<form name="form1" method="post" action="login.php">
<p>
<input type="text" name="username" autocomplete="off">
Username</p>
<p>
<input type="password" name="password" autocomplete="off">
Password</p>
<p>
<input type="submit" name="Submit" value="Submit" autocomplete="off">
</p>
</form>
-------------------------------------------------
SERVER SIDE SCRIPT
LOGIN.PHP
----------------------------------------------------
<?php
$user = $_POST['username'];
$pass = $_POST['password'];
$url = "http://" . $user . ":" . $pass . "@www.domain.com/securedirectory/index.php"; // target of the redirect
$delay = "3"; // 3 second delay
echo "login in 3 seconds";
echo '<meta http-equiv="refresh" content="'.$delay.';url='.$url.'">';
?>
Any help is much appreciated.
Hughes
Welcome to WebmasterWorld!
I have to say that I pretty much don't use http authentication anymore, so I can't be much help.
That said, isn't it fair to say that IE stopped allowing this because it's a fairly serious security issue and that the technique shouldn't be used? It seems like you would want to make your users log in if you are using that type of authentication, rather than just passing the login and pass in a url.
Tom
>>I have to say that I pretty much don't use http authentication anymore, so I can't be much help.
Could you suggest any other kind of login authentication that does not allow remembered passwords? I'm pretty new to this so any ideas are welcome.
- setting a cookie, which you can stop by not setting a cookie
- the "autofill" feature of browsers, which is something that is entirely client side. I would guess you might be able to prevent it with javascript or something, but it may have to be done client side. I'm not sure how you prevent browsers from automatically filling in form data if the user has things set up that way.
Is your goal primarily to prevent automatic login or primarily to prevent folks from seeing the login info?
Also, doesn't it seem sort of risky to let people into that directory? Typically, I would create a login system using PHP and create a cascading set of privileges - some people can view, some can add, some can make changes, some can delete.
Tom
Is there a way I could check the login variables on each page using a an expiring cookie and if not present or expired, deny access? Would I need to encypt the information in the cookie?
Hughes
I think IE saves the name of the form field to create the "autofill"-menues. So if you want to prevent the "autofilling" you have to make sure that always different names are in the <input name="...."> option.
the easiest way to do this is to us the UN*X-Timestamp or some other kind of unique token as the field name. As long as the names are different every time a user visits i think it won't "autofill".
