Last post Nov 23, 2014 10:26 AM by PatriceSc
Sep 26, 2014 01:08 PM|Cheng Bao|LINK
My site has a folder set with not allow anonymous request, all request need to be logon as domain user.So browser will popup a window to ask for username/password to proceed, my question is many browsers ask for it user want to save the username/password
to local, Is there a way to tell browser not to do this?
Sep 28, 2014 03:24 AM|Michelle Ge - MSFT|LINK
So far as I know, if you do not want browser to save username and password, you need to set the autocomplete property to off by the code below:
<form id="loginForm" action="login.cgi" method="post" autocomplete="off">
There ia similar thread, please refer to the link below:
Hope it's useful for you.
Sep 29, 2014 11:35 AM|Cheng Bao|LINK
Sorry, I am looking disable password saving for IIS authentication check, not password in html forms.
Sep 29, 2014 11:53 AM|AidyF|LINK
Basic auth is part of the operating system, you can't control it from your .net code, or the html. Browsers are even starting to ignore the autocomplete field on password form boxes. Whether a user has their password stored is for them to decide, not your
site. Please note also that basic auth (the pop-up box) is *very* insecure as it transmits the username and password in clear text with each request, and I'd go as far as to say that it should never be used.
Sep 29, 2014 04:53 PM|Cheng Bao|LINK
I am using windows authentication, not basic auth, so I think the user/password is encrypted before transfer over internet.
I know normal .net code/html can't control this, since it is happens before requests are send to .net engine. I wonder if some settings of IIS/web.config can be set, so the IIS has protocols with browser to suggest browser don't save auth info.
Sep 29, 2014 05:51 PM|AidyF|LINK
Your windows auth isn't working :) When using windows auth authentication is seamless, you don't get a pop-up. When windows auth is configured but not available, and basic auth is configured then it will fall to basic auth which is what you're seeing with
the pop-up. If you disable basic auth you'll probably find your site doesn't work at all.
Sep 30, 2014 11:28 AM|Cheng Bao|LINK
So, even the site is on https, the username/password is still transferred as clear text?
Sep 30, 2014 11:49 AM|AidyF|LINK
The password is encrypted over the wire with https, but basic auth still leaves you vulnerable in other ways
Oct 01, 2014 01:52 AM|Ruchira|LINK
I wonder if some settings of IIS/web.config can be set, so the IIS has protocols with browser to suggest browser don't save auth info.
No, it's a browser setting which cannot be controlled from your application.
Please 'Mark as Answer' if this post helps you
Nov 23, 2014 10:26 AM|PatriceSc|LINK
AFAI no and my understanding is that this is even considered bad (ie you remove from the user something that can be actually safer if properly handled).