View Issue Details

IDProjectCategoryView StatusLast Update
0026360mantisbtsecuritypublic2019-12-02 17:15
Reporterjcamara Assigned Todregad  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionduplicate 
Summary0026360: Avoid storing credentials in login page
Description

Our security department suggests avoid store credential in [login_password_page.php] in order to increase security level.

Despite of this, some clients could prefer store their credentials into browser so the possibility of storing credentials may be parametrized.

TagsNo tags attached.

Relationships

duplicate of 0023611 acknowledged Disable, or provide config option to disable, autocomplete on login text boxes 

Activities

dregad

dregad

2019-11-15 09:12

developer   ~0063102

Do you mean the Keep me logged in option ?

If so, that can be disabled by setting $g_allow_permanent_cookie = OFF; in your config. You can also define how "permanent" that is, by changing $g_cookie_time_length (default 1 year).

Note that this does not actually store the user's credentials, it just saves a cookie with the user's session id.

jcamara

jcamara

2019-11-15 09:21

reporter   ~0063103

Last edited: 2019-11-15 09:21

View 3 revisions

Is related with these option too, but more precise with browser behavoir.

May be forced with:

<INPUT TYPE="password" AUTOCOMPLETE="off">

Issue History

Date Modified Username Field Change
2019-11-15 03:25 jcamara New Issue
2019-11-15 09:12 dregad Assigned To => dregad
2019-11-15 09:12 dregad Status new => feedback
2019-11-15 09:12 dregad Note Added: 0063102
2019-11-15 09:21 jcamara Note Added: 0063103
2019-11-15 09:21 jcamara Status feedback => assigned
2019-11-15 09:21 jcamara Note Edited: 0063103 View Revisions
2019-11-15 09:21 jcamara Note Edited: 0063103 View Revisions
2019-11-15 18:20 atrol Status assigned => resolved
2019-11-15 18:20 atrol Resolution open => duplicate
2019-11-15 18:20 atrol Relationship added duplicate of 0023611
2019-12-02 17:15 atrol Status resolved => closed