IBM Support

Disabling autocomplete for user/password login fields on SmartCloud APM UI 7.7

Technical Blog Post


Abstract

Disabling autocomplete for user/password login fields on SmartCloud APM UI 7.7

Body

You likely noticed most of the forms used in web applications taking advantage of the autocomplete feature available for input fields.

This feature is usually enabled also for user login fields.

While most of us consider it as a good solution to save time, under certain circumstances it can be dangerous because it may expose sensitive data (even if the userID without the password is not that useful...) or information that the userID owner would have wanted to stay hidden.

Another scenario where you may need to disable autocomplete feature is in case of a security audit, when it is present in the list of security exposures.

APM 7.6, still based on Tivoli Integrated Portal, needed a code change to disable the autocomplete feature in the webgui login form.

This is documented in the technote:

http://www-01.ibm.com/support/docview.wss?uid=swg1PM77092

In APM 7.7, the "autocomplete=off" attribute is not implemented yet and you may notice that userID login form still performs autocomplete when using Mozilla Firefox.

 

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The same does not occur in Internet Explorer.

The different behaviour seems to be dependant on browser settings.

On Firefox, the Privacy Preferences in the History section shows:

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This means than any information previously entered is saved and used by autocomplete feature whenever it is possible.

In Internet Explorer instead, the "Forms" check button is disabled, and despite "User names and passwords on forms" is enabled, the browser does not perform autocomplete in any element of the forms.

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This is enough to have autocomplete disabled in Internet Explorer, and it is actually the default in most installations.

If you see a different configuration in your Internet Explorer, perform the necessary changes to have Autocomplete options like the ones showed in previous image and then restart the browser.

With Firefox 17 ESR (and newer) instead, you need to perform the following steps to disable autocomplete feature for the fields in the forms (including login forms):

a) select "Use custom settings for history"

b) uncheck "Remember search and form history"

image

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The new configuration should be immediately available, but if you notice unexpected results, try restarting Firefox browser before trying login in APM 7.7 again.

The autocomplete=off attribute for the login username field will be available in Blaze 2.3.0.3 release, so we expect to have it available in the next APM release.

Before that, you can use the workaround provided in this article.

 

Thanks for reading

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSVJUL","label":"IBM Application Performance Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

UID

ibm11277116

Page Feedback