AnsweredAssumed Answered

AutoComplete Attribute Not Disabled for Password in Form Based Authentication

Question asked by shynu sivarajan on Nov 25, 2013


I have a Live machine  scanned by Qualys and it points following vulnerability

"AutoComplete Attribute Not Disabled for Password in Form Based Authentication"

w ith QID: 86729.


I have Made the following fixes for it.


Disabling the autocomplete feature inside the HTML code like


----code starts here----


<form action="myfile.jsp" method="post" name="loginform" autocomplete="off">

login <input type="text" name="userid" maxlength="20" autocomplete="off" />

password:<input name="password" maxlength="20" type="password" autocomplete="off" />

<input type="submit" value="Enter" />



--code ends here---


I had tested with Chrome , Firebox and IE browser.None of these browsers store the {login/password} contents into their cache

Still the report shows the same result

where do i miss?


Deployed webserver: Apache tomcat 7.0.42

http: Disabled

https: Enabled