For PCI compliance, I need to disable the storing of passwords in the browsers. Is there a way to configure that?
Is it possible to modify the login.vm file (https://confluence.atlassian.com/display/DOC/Customising+the+Login+Page) so that the os_password input box contains the attribute autocomplete="off" ?
E.g.
<input type="password" name="os_password" id="os_password" class="password " autocomplete="off"/>
I haven't got access to a confluence instance where I can try this out but it might/should do the trick, though bear in mind that this is probably not valid markup with certain DocTypes so if that is important you may need to use JavaScript to set the attribute.
For good measure, you may want to add the attribute autocapitalize="off" and autocorrect="off" to the os_username field, to control automatic correction or capitalization on iOS devices
E.g.
<input type="text" name="os_username" id="os_username" class="text " data-focus="0" autocapitalize="off" autocorrect="off"/>
Thanks, this pointed me in the right direction. I ended up having to edit the \confluence\template\au\password.vm file and so it said <input type="password" autocomplete="off" name="$!webwork.htmlEncode($parameters.name)" id="$!webwork.htmlEncode($parameters.id)" ##
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yeah, that's the one and the method. I don't know Stash code well enough, sorry. (Still not sure it's in the slightest bit worth doing, as "compliance" doesn't matter where it can be bypassed, it's still an issue, but hey)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Nick. Looking at JIRA I find include/loginform.jsp which contains the password input. Am I correct in assuming that I can change this file and just have to remember to reapply the change after maintenance or upgrades?
I'm still looking for the correct place to make the change in Stash if you can point that out.
Fortunately I am only responsible for getting the servers to pass the audit. Client behavior is out of scope.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I belive John's answer about editing the .vm is still correct, you can embed something to try to disable autocomplete in the login.
But, browsers are still completely free to ignore it. I'm afraid you might want to have another look at the PCI compliance rules you've got - they can't demand something that simply can't be enforced. My browser regularly overrides it on several sites, and I'd probably do the same if someone inflicted it on Confluence/Jira etc.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It is not a big problem for you to remove all saved passwords on your browsers if you have a step-by-step guide. I found this useful guide to disable Autocomplete Password in Browser which may be helpful for you, too.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can do it with a bit of javascript, but it's pretty much a waste of time. Because
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.