ASP Classic & Browser Password Cache

Posted on 2014-08-21
Last Modified: 2014-08-28
Good day. I have a website that I am looking at making more secure and was going through a few changes. One of the things I was looking at was not allowing the browser to store passwords at the login page.

I am running IIS 6 and Windows 2003 on the server. All code is ASP Classic. Can anyone point me to what i would need to do (either in code or on the server) to not allow passwords from being stored on the browser?
Question by:mig1980
    LVL 82

    Expert Comment

    by:Dave Baldwin
    I don't believe you can do that.  Browser's are not under your control.  Some sites use javascript to clear the login fields when the page is loaded.  But Chrome seems to ignore that and insert the username and password anyway.
    LVL 32

    Assisted Solution

    by:Big Monty
    Try using the autocomplete attribute

    <input type="text" name="foo" autocomplete="off" />

    Author Comment

    I have noticed that on some browsers (banks, etc), my browser will warn me that do to the security of the site, password cannot be stored. How do they do it?
    LVL 28

    Accepted Solution

    Dave is right. However, there are things you can do to prevent re-entering the secure area which I think is what you are getting at.

    On the secure page, you can add these lines:

       Response.Expires = 0
       Response.Expiresabsolute = Now() - 1
       Response.AddHeader "pragma","no-cache"
       Response.AddHeader "cache-control","private"
       Response.CacheControl = "no-cache"

    Open in new window

    at top of your page.

    Finally, you should have this on your logout page already.

    If not, add these:


    Open in new window

    LVL 32

    Expert Comment

    by:Big Monty
    those messages you get from the bank sites, about not storing passwords, are typically easy to get around. there are plenty of add-ons for browsers that'll allow the end user to store their passwords, and even enable auto-complete. Those users you probably don't need to worry about as they will be using their own computers to access your site. you want to worry about the users that use public computers (such as at a library or internet cafe). In those cases you'll want to employ the techniques used by sammySeltzer above (which'll prevent caching) as well as disabling auto-complete and also managing your session times. if you have highly confidential data, you may consider lowering your session time from the default of 15 minutes to 10 or even 5.

    you may also consider having a password policy in place where it needs to change every x number of days...

    Author Comment

    Thank you all. Big Monty, great comments. All that you suggested outside of the additions sammySeltzer mentioned are begin developed and implemented as well (stronger passwords, routine changes, changing session time).

    I am looking at Developing a proof of concept to review in the next few weeks. I will attempt to leverage the code by sammySeltzer and see if it works out.

    I will circle back with my comments after testing (in a few weeks). In the meantime, if anyone else has a different suggestion, please let me know.
    LVL 52

    Expert Comment

    by:Scott Fell, EE MVE
    I like the idea of autocomplete=off.  The other side of the argument is it may hinder password managers and using a password manager to store complex passwords could be more beneficial than a password like "dogsname1".  

    My own bank uses autocomplete="off"  

    I have to log in and log out of a lot of web apps during he day. Many for projects I work on where I am giving demos. It would be embarrassing if multiple usernames showed up or password is prefilled in.

    I am not crazy about google storing all the usernames I use.  I suppose it is helpful to some.    Otherwise, I concur you ultimately can't control the client and only can make it somewhat difficult.

    Author Closing Comment

    The above worked great everyone. We ended up deploying both ideas from sammySeltzer and Big Monty

    Thank you

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    Suggested Solutions

    Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
    Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
    The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now