Closed Thread Icon

Topic awaiting preservation: Prevent form remembering? Pages that link to <a href="https://ozoneasylum.com/backlink?for=25431" title="Pages that link to Topic awaiting preservation: Prevent form remembering?" rel="nofollow" >Topic awaiting preservation: Prevent form remembering?\

 
Author Thread
H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted posted 04-05-2005 06:00

Hi i was just wonder about forms - i know a site which you enter your CC details to order some stuff - and next time you goto visit the site and have to enter the CC details again they are "remembered" like an autofil option.

I know this is somewhat to do with the browser as in you can choose not to do this, but i have noticed that most sites dont seem to ahve this problem even when its on.

To me this is a huge security issue, what if you ordered on an online cafe? the next person happens to goto the same site and has all of your CC info!

SO i guess the question is how can this be stopped, and by what information does it remember stuff by. Im assuming that its the "name" of the field is remembered, and i would also thing that the browser wouldnt store values for every name it encounters, probably a select few - so even putting a unique name my be a solution, the alternative is somehow have a unique name generated which just makes things more complicated when actually getting the data but there are still ways to do this.

Any thoughts?

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 04-05-2005 08:57

there are (non standard) attributes to disable this for the various browsers. You'll have to google around though, I just don't remember any of 'em right now. Sorry.
Otherwise, in a net cafe, always make sure to delete all offline content and the like in the browser.

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted posted 04-05-2005 10:27

you mean via metta tags? any idea if its the name that the field is stored by? cant see what else it would be

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 04-05-2005 13:57

googled for "internet explorer prevent auto completion attribute"

found http://www.codeave.com/html/code.asp?u_log=5049

should be at least in part what you're looking for

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 04-06-2005 17:54

What I've done is use some sort of random string in the form name to bust this.

so something like

"credit_card_".microtime();

in PHP.

Takes an extra step or two parsing it out on the backend but it's pretty sure to bust autocomplete.



.:[ Never resist a perfect moment ]:.

H][RO
Bipolar (III) Inmate

From: Australia
Insane since: Oct 2002

posted posted 04-07-2005 05:10

Yeh thats what i was thinking, so it actually works for the form name too not just individual fields? Thats interesting...

Am I right in saying its a problem when people allow CC information to autocomplete at all? I emailed the company that has this problem suggesting they fix it and they replied saying its a user only browser setting thing and nothing they can do.

Still it seems like a security risk not worth taking, esp when dealing with CC's

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 04-07-2005 07:42

Well I'm pretty sure the browsers just store the some sort of form field/URL hash to store this data so adding some sort of random string to the form name should bust it.

Similar to breaking image caching



.:[ Never resist a perfect moment ]:.

« BackwardsOnwards »

Show Forum Drop Down Menu