View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
17349 | Bug reports | Security | public | 2021-06-02 16:35 | 2021-07-20 12:49 |
Reporter | alorenc | Assigned To | ollehar | ||
Priority | none | Severity | minor | ||
Status | closed | Resolution | no change required | ||
Product Version | 3.25.19 | ||||
Summary | 17349: Autocomplete is not disabled in the password field. | ||||
Description | We detected that password fields do not have autocomplete turned off:
Detected on v3.25.19 | ||||
Tags | No tags attached. | ||||
Bug heat | 258 | ||||
Complete LimeSurvey version number (& build) | v3.27.1+210531 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | Chrome v91.0.4472.77 | ||||
Database type & version | SQL Server 2019 | ||||
Server OS (if known) | |||||
Webserver software & version (if known) | |||||
PHP Version | v7.4.15 NTS x64 | ||||
Not a bug !
|
|
Does not HTML5 support password tags to disable autocompletion? |
|
And ? Still an issue to disable autocompletion on login form, the security issue is to hack browser to disallow save of password. |
|
@alorenc Are you using one browser for multiple participants? Why is this an issue? |
|
Eventually by option for token, but it's easy to do in theme |
|
@DenisChenu @ollehar |
|
It's a security issue to disable autocomplete on login form. You read the link i put :
About token : ok, it can be seen as a not login form, but a login form with user + pass have to allow autocopmlete. If you're not happy with this : open an issue at mozilla and chrome. |
|
When you look at https://caniuse.com/?search=autocomplete you can see that most browsers are ignoring this anyway in favor of their own login systems. |
|
From the point of view of our client, this is a problem, especially in the context of a corporation whose employees use surveys from different browsers in different places. Therefore, we had to ensure all precautions against unauthorized access to the surveys, which in the current version of Lime 3.x occurs when the token of the survey participant is intercepted. We used proprietary solutions with the help of plugins and changes in the architecture of the project environment. This allowed us to work around the reported problem. |
|
For token it can be easily updated via theme ! Then : it's really not an issue .... |
|
In this arrangement, the topic can be closed. I think we have exhausted the pros/cons of autocomplete ;) |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2021-06-02 16:35 | alorenc | New Issue | |
2021-06-02 16:51 | DenisChenu | Note Added: 64716 | |
2021-06-02 18:11 | ollehar | Note Added: 64720 | |
2021-06-02 18:32 | ollehar | Assigned To | => ollehar |
2021-06-02 18:32 | ollehar | Status | new => feedback |
2021-06-02 19:01 | DenisChenu | Note Added: 64723 | |
2021-06-02 19:03 | ollehar | Note Added: 64724 | |
2021-06-02 19:22 | DenisChenu | Note Added: 64725 | |
2021-06-04 10:46 | alorenc | Note Added: 64734 | |
2021-06-04 10:46 | alorenc | Status | feedback => assigned |
2021-06-04 10:54 | DenisChenu | Note Added: 64735 | |
2021-07-12 15:15 | c_schmitz | Note Added: 65382 | |
2021-07-13 09:24 | alorenc | Note Added: 65414 | |
2021-07-13 09:41 | DenisChenu | Note Added: 65415 | |
2021-07-19 09:21 | alorenc | Note Added: 65504 | |
2021-07-20 12:49 | ollehar | Status | assigned => closed |
2021-07-20 12:49 | ollehar | Resolution | open => no change required |