WEB security practices: How to Prevent browsers from remembering user names and passwords

WEB security practices: How to Prevent browsers from remembering user names and passwords

Problem

Kids shoes who have developed the Web know that after opening a website, they usually need to enter the user name and password. However, this is a simple operation. Some problems may be exposed during submission. Of course, these problems will be detected by the security vulnerability testing software. If no related processing is performed, some sensitive information is left in the form, page, or local cookies, which may be exploited by hackers. Next, let's talk about how to avoid such problems.

Solution

The following lists several common solutions with their respective advantages and disadvantages and different application scenarios. Let's take a look at them first:

I. Remember the password for the browser

First, most browsers determine the password field based on the type = "password" of the form field. In this case, you can use the "dynamically set the password field" method:

The Code is as follows:

<span style="font-family:Comic Sans MS;"><input type="text" name="password" onfocus="this.type='password'" /> </span>  

Note: When this document box gets the focus, it is changed to a password domain, so that the browser will not remember the password. Of course, to improve the password, you can also add the autocomplete = "off" attribute.

II. In the onload event, clear the value of the password box, that is:

The Code is as follows:

<Span style = "font-family: Comic Sans MS;"> <script language = "javascript"> window. load = function () {document. getElementById ('password domain id '). value = '';}; </script> </span>

Note: You can also use the corresponding jQuery method.

III. The page uses https protocol, because https does not save information on the form.

Iv. use flash as the login form. In this case, the browser will not record the form information.

V. You can change "type =" password "to" text ". Because" type is not a password, the "Remember password" function will not appear. Then, set a variable such: var val = "or set a hidden domain. Finally, use onpropertychange to replace the password with a line of dots, assign the value to val, and restore the value of val when submitting the code, because the effect is the same as the number *, users cannot see it.

Comparison

Now, the problem arises. If the project has been developed and is in the testing stage, you cannot reconstruct the code after such a problem occurs. Instead, it is called patching, fix this vulnerability through patches. Then, the available solutions are I and ii. Of course, if you are not afraid of trouble, we recommend using IV and V.

Solution III is definitely not feasible, because the project protocol has been determined at the end of the development. If the interface is left in advance, it will be much easier. However, this requires a good design.

When you choose solution I, you will find that there is still a problem, because I have tested it before, solution I is normal in IE 10 and later versions, but in IE 10 or earlier versions, plaintext is displayed. type = 'Password' does not work at all. If your project requires compatibility with multiple IE versions, this solution will be passed.

As for the Ⅱ scheme, you will find that its function is actually icing on the cake, and it can be used together with the I scheme, however, the I scheme has been passed, and only the II scheme is a temporary solution. Therefore, the pass Scheme is the same.

If the project is under development, you can try the Ⅲ and IV solutions.

The solution I selected is V, which is implemented using JS. After obtaining the focus through the text box, replace the text box with the password box, this method can be implemented in IE of different versions. In addition, if your project is in the development phase, we recommend that you use this method and there will be no worries during future maintenance.

Conclusion

This vulnerability is not fatal in the entire Web security system. Here, we will give you an understanding that complementing the vulnerability is not our purpose, the important thing is how to avoid such a vulnerability during development. The so-called "preventing problems before they happen" is the truth.