Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Need to disable Autocomplete Password in Browser for Confluence

john batchelor
john batchelor
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 17, 2013

For PCI compliance, I need to disable the storing of passwords in the browsers. Is there a way to configure that?

Answer
Watch
Like Be the first to like this
2137 views

7 answers

1 vote
Deleted user January 17, 2013

Is it possible to modify the login.vm file (https://confluence.atlassian.com/display/DOC/Customising+the+Login+Page) so that the os_password input box contains the attribute autocomplete="off" ?

E.g.

<input type="password" name="os_password" id="os_password" class="password " autocomplete="off"/>

I haven't got access to a confluence instance where I can try this out but it might/should do the trick, though bear in mind that this is probably not valid markup with certain DocTypes so if that is important you may need to use JavaScript to set the attribute.

For good measure, you may want to add the attribute autocapitalize="off" and autocorrect="off" to the os_username field, to control automatic correction or capitalization on iOS devices

E.g.

<input type="text" name="os_username" id="os_username" class="text " data-focus="0" autocapitalize="off" autocorrect="off"/>

View More Comments
john batchelor
john batchelor
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 25, 2013

Thanks, this pointed me in the right direction. I ended up having to edit the \confluence\template\au\password.vm file and so it said <input type="password" autocomplete="off" name="$!webwork.htmlEncode($parameters.name)" id="$!webwork.htmlEncode($parameters.id)" ##

Like
Reply
0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 12, 2014

Yeah, that's the one and the method. I don't know Stash code well enough, sorry. (Still not sure it's in the slightest bit worth doing, as "compliance" doesn't matter where it can be bypassed, it's still an issue, but hey)

Reply
0 votes
James True
James June 12, 2014

Thanks Nick. Looking at JIRA I find include/loginform.jsp which contains the password input. Am I correct in assuming that I can change this file and just have to remember to reapply the change after maintenance or upgrades?

I'm still looking for the correct place to make the change in Stash if you can point that out.

Fortunately I am only responsible for getting the servers to pass the audit. Client behavior is out of scope.

Reply
0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 11, 2014

I belive John's answer about editing the .vm is still correct, you can embed something to try to disable autocomplete in the login.

But, browsers are still completely free to ignore it. I'm afraid you might want to have another look at the PCI compliance rules you've got - they can't demand something that simply can't be enforced. My browser regularly overrides it on several sites, and I'd probably do the same if someone inflicted it on Confluence/Jira etc.

Reply
0 votes
James True
James June 11, 2014

We also need to do the same in Stash and JIRA, also for PCI compliance so failure is not an option :-)

Reply
0 votes
Steve Paul
Steve Paul
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 22, 2014

It is not a big problem for you to remove all saved passwords on your browsers if you have a step-by-step guide. I found this useful guide to disable Autocomplete Password in Browser which may be helpful for you, too.

Reply
0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 17, 2013

You can do it with a bit of javascript, but it's pretty much a waste of time. Because

  • It's a browser function, NOT a site function
  • You need to code for all browsers
  • You need to code for browser plugins that might autofill
  • It irritates users when you do it, and they often get quite determined to get around it (this one is a personal opinion - I certainly get annoyed and force sites to work with a spot of scripting)
  • It's a doddle for a browser or determined user to bypass

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events