Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64969

Re-add loginpasswordautocomplete option

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Waiting for peer review
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.3 regressions, 3.5.11, 3.6.9, 3.7.5, 3.8.2, 3.9
    • Fix Version/s: 3.9
    • Component/s: Authentication
    • Labels:
    • Testing Instructions:
      Hide

      The following testing instructions assume that your Moodle site is configured to use the core Boost theme. Though this should be inherited by most themes, some 3rd party themes may override the core loginform.mustache template.

      1. Log as a Moodle Administrator.
      2. Navigate to Site Administration > Security > Site Security Settings
      3. Change the Remember username field to No,
      4. Save changes
      5. Log out.
      6. Go back to the login page.
      7. Inspect the user name field. Notice that autocomplete is now set to "off".
      8. Inspect the password field. Notice that autocomplete is now set to "off".

      If you were able to successfully complete the above instructions and saw that autocompelte="off", the test has been successful.

      Show
      The following testing instructions assume that your Moodle site is configured to use the core Boost theme. Though this should be inherited by most themes, some 3rd party themes may override the core loginform.mustache template. Log as a Moodle Administrator. Navigate to Site Administration > Security > Site Security Settings Change the  Remember username field to  No , Save changes Log out. Go back to the login page. Inspect the user name field. Notice that autocomplete is now set to "off". Inspect the password field. Notice that autocomplete is now set to "off". If you were able to successfully complete the above instructions and saw that autocompelte="off", the test has been successful.
    • Affected Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
    • Fixed Branches:
      MOODLE_39_STABLE
    • Pull 3.7 Branch:
      MDL-64969-M37
    • Pull 3.8 Branch:
      MDL-64969-M38
    • Pull Master Branch:
      MDL-64969-master

      Description

      Hello, I was told to open a ticket related to this issue

      Previously in https://tracker.moodle.org/browse/MDL-55476 the option for "loginpasswordautocomplete" was removed. It was removed because, realistically to the general public, its not honored by browsers.

      However, I believe this logic is unsound, or at the very least not enough to justify removal of this feature. Whether or not a flag is honored by a client browser is fully a client issue.

      Burp Security Suite identifies forms with passwords and autocomplete enabled as a warning. These are all shown as "Password field does not have "autocomplete=off"" warnings.

      These warnings turn into security issues on our monthly review. Previously we could just enable this setting, and the problem would be solved. 

      There are configurations of browsers within secured federal government environments that DO respect these settings. This might not be super useful to all users, but there are edge cases where this is an important feature (of which I am one I guess). 

      Perhaps add a warning that "This is not respected by most browsers" or something to that effect? 

      But I would like to revert this change, and reinclude the feature.

      Thank you. 

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              michael-milette Michael Milette
              Reporter:
              stormthegates Wolf Ventir
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Fix Release Date:
                15/Jun/20