disable browser 'save password' functionality in mvc

Question

0.00/5 (No votes)

See more:

Hi,

How could we disable browser 'save password' functionality in mvc,We used the following code,But not working

C#

@using (Html.BeginForm(new { autocomplete = "off", id = "form1" }))
   {

@Html.PasswordFor(m => m.Password, new { @class = "input-block-level", @placeholder = "Password", @id = "txtpasswoprd",autocompletetype="Disabled", @title = "Enter your Password" })

Also put some jquery code but didn't help to me

C#

$(document).ready(function () {

 

        $('#form1').attr('autocomplete', 'off');
    }

Thank you,
Soumya

Posted 1-Feb-15 22:53pm

soumyaraj

Add a Solution

Comments

Nathan Minier 2-Feb-15 7:38am

Short answer is: you can't. It's a browser behavior and is controlled by the user, not by individual pages.

That said, you can work around it. Assuming that you're willing to write your own AuthenticationProvider, you can use a testbox that writes to a jQuery array (and replaces the characters in the text field with *) and send that.

This is, of course, a significant security issue, and not even remotely worth avoiding the "Save this password" functionality.

Richard Deeming 2-Feb-15 15:54pm

Why would you want to make your site LESS secure by preventing the user from using the built-in tools to manage their passwords?

If you prevent the user from saving their password in the browser, then you're forcing them to pick a password they'll be able to remember. That will almost certainly end up being the same password they've used on other sites.

You're also conditioning your users to type their password every time they see something that looks like your login page - an invitation to phishing scams.

There's a good discussion on the topic on StackExchange:
Should websites be allowed to disable autocomplete on forms or fields?[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Afzaal Ahmad Zeeshan · Answer 1 · 2015-02-02T08:38:00

No - you cannot remove any functionality of the browser using the ASP.NET MVC framework, because MVC is capable of providing you with the tools to create the application on your server, whereas once on the client-side you can use the client-side languages and tools to manipulate your own application only. The browser software is a package (held by other company) that your web application has no control over.

Although, there can be many other tricks using which you can fool the browser, such as changing the name of the input field you're going to create, or by either trying to ask for a password only, without having to ask the user for his email or username, this way browser won't know which detail or which information to show from the recorded information. But - as it as - there is no way that you can control the behaviour of the browser for your application, although autocomplete="off" can be helpfull for forcing the browser to not save the previous successful attempts in the form, but the "Save Password" feature is a browser-related feature and every browser has its own implementation (it is not a standard that every browser shares or follows).