Need to disable Autocomplete Password in Browser for Confluence

For PCI compliance, I need to disable the storing of passwords in the browsers. Is there a way to configure that?

7 answers

Is it possible to modify the login.vm file ( so that the os_password input box contains the attribute autocomplete="off" ?


<input type="password" name="os_password" id="os_password" class="password " autocomplete="off"/>

I haven't got access to a confluence instance where I can try this out but it might/should do the trick, though bear in mind that this is probably not valid markup with certain DocTypes so if that is important you may need to use JavaScript to set the attribute.

For good measure, you may want to add the attribute autocapitalize="off" and autocorrect="off" to the os_username field, to control automatic correction or capitalization on iOS devices


<input type="text" name="os_username" id="os_username" class="text " data-focus="0" autocapitalize="off" autocorrect="off"/>

Thanks, this pointed me in the right direction. I ended up having to edit the \confluence\template\au\password.vm file and so it said <input type="password" autocomplete="off" name="$!webwork.htmlEncode($" id="$!webwork.htmlEncode($" ##

0 votes

You can do it with a bit of javascript, but it's pretty much a waste of time. Because

  • It's a browser function, NOT a site function
  • You need to code for all browsers
  • You need to code for browser plugins that might autofill
  • It irritates users when you do it, and they often get quite determined to get around it (this one is a personal opinion - I certainly get annoyed and force sites to work with a spot of scripting)
  • It's a doddle for a browser or determined user to bypass

It is not a big problem for you to remove all saved passwords on your browsers if you have a step-by-step guide. I found this useful guide to disable Autocomplete Password in Browser which may be helpful for you, too.

We also need to do the same in Stash and JIRA, also for PCI compliance so failure is not an option :-)

0 votes

I belive John's answer about editing the .vm is still correct, you can embed something to try to disable autocomplete in the login.

But, browsers are still completely free to ignore it. I'm afraid you might want to have another look at the PCI compliance rules you've got - they can't demand something that simply can't be enforced. My browser regularly overrides it on several sites, and I'd probably do the same if someone inflicted it on Confluence/Jira etc.

Thanks Nick. Looking at JIRA I find include/loginform.jsp which contains the password input. Am I correct in assuming that I can change this file and just have to remember to reapply the change after maintenance or upgrades?

I'm still looking for the correct place to make the change in Stash if you can point that out.

Fortunately I am only responsible for getting the servers to pass the audit. Client behavior is out of scope.

0 votes

Yeah, that's the one and the method. I don't know Stash code well enough, sorry. (Still not sure it's in the slightest bit worth doing, as "compliance" doesn't matter where it can be bypassed, it's still an issue, but hey)

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 12, 2019 in Confluence

Confluence Admin Certification now $150 for Community Members

More and more people are building their careers with Atlassian, and we want you to be at the front of this wave! Important Dates Start the Certification Prep Course by 2 April 2019 Take your e...

261 views 2 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you