Technical Blog Post
Abstract
Disabling autocomplete for user/password login fields on SmartCloud APM UI 7.7
Body
You likely noticed most of the forms used in web applications taking advantage of the autocomplete feature available for input fields.
This feature is usually enabled also for user login fields.
While most of us consider it as a good solution to save time, under certain circumstances it can be dangerous because it may expose sensitive data (even if the userID without the password is not that useful...) or information that the userID owner would have wanted to stay hidden.
Another scenario where you may need to disable autocomplete feature is in case of a security audit, when it is present in the list of security exposures.
APM 7.6, still based on Tivoli Integrated Portal, needed a code change to disable the autocomplete feature in the webgui login form.
This is documented in the technote:
http://www-01.ibm.com/support/docview.wss?uid=swg1PM77092
In APM 7.7, the "autocomplete=off" attribute is not implemented yet and you may notice that userID login form still performs autocomplete when using Mozilla Firefox.
The same does not occur in Internet Explorer.
The different behaviour seems to be dependant on browser settings.
On Firefox, the Privacy Preferences in the History section shows:
This means than any information previously entered is saved and used by autocomplete feature whenever it is possible.
In Internet Explorer instead, the "Forms" check button is disabled, and despite "User names and passwords on forms" is enabled, the browser does not perform autocomplete in any element of the forms.
This is enough to have autocomplete disabled in Internet Explorer, and it is actually the default in most installations.
If you see a different configuration in your Internet Explorer, perform the necessary changes to have Autocomplete options like the ones showed in previous image and then restart the browser.
With Firefox 17 ESR (and newer) instead, you need to perform the following steps to disable autocomplete feature for the fields in the forms (including login forms):
a) select "Use custom settings for history"
b) uncheck "Remember search and form history"
The new configuration should be immediately available, but if you notice unexpected results, try restarting Firefox browser before trying login in APM 7.7 again.
The autocomplete=off attribute for the login username field will be available in Blaze 2.3.0.3 release, so we expect to have it available in the next APM release.
Before that, you can use the workaround provided in this article.
Thanks for reading
UID
ibm11277116