View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0026360mantisbtsecuritypublic2019-11-15 03:252019-12-02 17:15
Reporterjcamara Assigned Todregad  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionduplicate 
Summary0026360: Avoid storing credentials in login page
Description

Our security department suggests avoid store credential in [login_password_page.php] in order to increase security level.

Despite of this, some clients could prefer store their credentials into browser so the possibility of storing credentials may be parametrized.

TagsNo tags attached.

Relationships

Relationship GraphDependency Graph
duplicate of 0023611 acknowledged Disable, or provide config option to disable, autocomplete on login text boxes 

Activities

dregad

dregad

2019-11-15 09:12

developer   ~0063102

Do you mean the Keep me logged in option ?

If so, that can be disabled by setting $g_allow_permanent_cookie = OFF; in your config. You can also define how "permanent" that is, by changing $g_cookie_time_length (default 1 year).

Note that this does not actually store the user's credentials, it just saves a cookie with the user's session id.
jcamara

jcamara

2019-11-15 09:21

reporter   ~0063103

Last edited: 2019-11-15 09:21

Is related with these option too, but more precise with browser behavoir.

May be forced with:

<INPUT TYPE="password" AUTOCOMPLETE="off">