How I do to force the browser to not store the HTML form field data?

9
votes

When typing in HTML forms, browsers like Firefox or Internet Explorer store the values, sometimes quietly. So when typing in another webforms, the browser smartly suggest the same information. Another method to show the dropdown list is double-clicking an empty textbox.

On an E-commerce website, the customer types the credit card number, and another sensitive information. How I do to avoid or block the browser to store that sensitive information?

Another worry is about tampered form data stored (by malware, by example). Then the customer can select this contaminated data and compromise the site.

6
asp.netsecurityxssforms
Re: "How I do to avoid or block the browser to store that sensitive information?" Don't. It's none of your business.nobody
possible duplicate of How do you disable browser Autocomplete on web form field / input tag?Brendan Long

6 Answers

9
votes

Try with the atribute autocomplete="off"

It should work for single input elements:

<input type="text" autocomplete="off" name="text1" />

or to the entire form:

<form name="form1" id="form1" method="post" autocomplete="off"
  action="http://www.example.com/action">
[...]
</form>

And specifically for ASP .NET you can set it like this:

The WebForms form:

<form id="Form1" method="post" runat="server" autocomplete="off">

Textboxes:

<asp:TextBox Runat="server" ID="Textbox1" autocomplete="off"></asp:TextBox>

or at runtime:

Textbox1.Attributes.Add("autocomplete", "off");
7
votes

See a longer discussion here:

How do you disable browser Autocomplete on web form field / input tag?

It looks like autocomplete="off" will work in some cases but it is not XHTML compliant.

3
votes

It is good to use the autocomplete="off" for public computers when you store data like usernames, credit card numbers and such.

So if you build a intranet system it would be OK to do it.

2
votes

As others have said, the answer is autocomple="off"

However I think it's worth stating why it's a good idea to use this in certain cases as some answers to this and duplicate questions have suggested it's better not to turn if off.

Stopping browsers storing credit card numbers shouldn't be left to users. Too many users won't even realise it's a problem.

It's particularly important to turn it off on fields for credit card security codes. As this page states

"Never store the security code ... its value depends on the presumption that the only way to supply it is to read it from the physical credit card, proving that the person supplying it actually holds the card."

The problem is, if it's a public computer (cyber cafe, library etc) it's then easy for other users to steal your card details, and even on your own machine a malicious website could steal autocomplete data.

0
votes

You can put on the input fields:

autocomplete="off"

as an attribute.

That being said: DON'T DO IT.

From a usability standpoint it is a terrible idea. Particularly if there's field validation. There's nothing more annoying than having to retype parts of a form because you have to correct a completely unrelated form. Most users like the fact that they don't have to retype in credit card numbers, their name, email addresses, etc.

You will annoy far more users than you help by turning off such features.

Ultimately, security is the user's problem and their perogative. The vast majority of people use personal or work PCs so are fine with caching such information. Properly configured public terminals will clear form data when the user logs off.

So who exactly are you helping?

0
votes
<input autocomplete="new-password">

This works where "off" does not.