ASP Classic & Browser Password Cache

Good day. I have a website that I am looking at making more secure and was going through a few changes. One of the things I was looking at was not allowing the browser to store passwords at the login page.

I am running IIS 6 and Windows 2003 on the server. All code is ASP Classic. Can anyone point me to what i would need to do (either in code or on the server) to not allow passwords from being stored on the browser?
mig1980Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
I don't believe you can do that.  Browser's are not under your control.  Some sites use javascript to clear the login fields when the page is loaded.  But Chrome seems to ignore that and insert the username and password anyway.
0
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
Try using the autocomplete attribute

<input type="text" name="foo" autocomplete="off" />
0
mig1980Author Commented:
I have noticed that on some browsers (banks, etc), my browser will warn me that do to the security of the site, password cannot be stored. How do they do it?
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

sammySeltzerCommented:
Dave is right. However, there are things you can do to prevent re-entering the secure area which I think is what you are getting at.

On the secure page, you can add these lines:

   Response.Expires = 0
   Response.Expiresabsolute = Now() - 1
   Response.AddHeader "pragma","no-cache"
   Response.AddHeader "cache-control","private"
   Response.CacheControl = "no-cache"

Open in new window


at top of your page.

Finally, you should have this on your logout page already.

If not, add these:

Session("username")=""
Session.Contents.RemoveAll

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
those messages you get from the bank sites, about not storing passwords, are typically easy to get around. there are plenty of add-ons for browsers that'll allow the end user to store their passwords, and even enable auto-complete. Those users you probably don't need to worry about as they will be using their own computers to access your site. you want to worry about the users that use public computers (such as at a library or internet cafe). In those cases you'll want to employ the techniques used by sammySeltzer above (which'll prevent caching) as well as disabling auto-complete and also managing your session times. if you have highly confidential data, you may consider lowering your session time from the default of 15 minutes to 10 or even 5.

you may also consider having a password policy in place where it needs to change every x number of days...
0
mig1980Author Commented:
Thank you all. Big Monty, great comments. All that you suggested outside of the additions sammySeltzer mentioned are begin developed and implemented as well (stronger passwords, routine changes, changing session time).

I am looking at Developing a proof of concept to review in the next few weeks. I will attempt to leverage the code by sammySeltzer and see if it works out.

I will circle back with my comments after testing (in a few weeks). In the meantime, if anyone else has a different suggestion, please let me know.
0
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
I like the idea of autocomplete=off.  The other side of the argument is it may hinder password managers and using a password manager to store complex passwords could be more beneficial than a password like "dogsname1".  

My own bank uses autocomplete="off"  

I have to log in and log out of a lot of web apps during he day. Many for projects I work on where I am giving demos. It would be embarrassing if multiple usernames showed up or password is prefilled in.

I am not crazy about google storing all the usernames I use.  I suppose it is helpful to some.    Otherwise, I concur you ultimately can't control the client and only can make it somewhat difficult.
0
mig1980Author Commented:
The above worked great everyone. We ended up deploying both ideas from sammySeltzer and Big Monty


Thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.