Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 367
  • Last Modified:

ASP Classic & Browser Password Cache

Good day. I have a website that I am looking at making more secure and was going through a few changes. One of the things I was looking at was not allowing the browser to store passwords at the login page.

I am running IIS 6 and Windows 2003 on the server. All code is ASP Classic. Can anyone point me to what i would need to do (either in code or on the server) to not allow passwords from being stored on the browser?
0
mig1980
Asked:
mig1980
2 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
I don't believe you can do that.  Browser's are not under your control.  Some sites use javascript to clear the login fields when the page is loaded.  But Chrome seems to ignore that and insert the username and password anyway.
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
Try using the autocomplete attribute

<input type="text" name="foo" autocomplete="off" />
0
 
mig1980Author Commented:
I have noticed that on some browsers (banks, etc), my browser will warn me that do to the security of the site, password cannot be stored. How do they do it?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
sammySeltzerCommented:
Dave is right. However, there are things you can do to prevent re-entering the secure area which I think is what you are getting at.

On the secure page, you can add these lines:

   Response.Expires = 0
   Response.Expiresabsolute = Now() - 1
   Response.AddHeader "pragma","no-cache"
   Response.AddHeader "cache-control","private"
   Response.CacheControl = "no-cache"

Open in new window


at top of your page.

Finally, you should have this on your logout page already.

If not, add these:

Session("username")=""
Session.Contents.RemoveAll

Open in new window

0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
those messages you get from the bank sites, about not storing passwords, are typically easy to get around. there are plenty of add-ons for browsers that'll allow the end user to store their passwords, and even enable auto-complete. Those users you probably don't need to worry about as they will be using their own computers to access your site. you want to worry about the users that use public computers (such as at a library or internet cafe). In those cases you'll want to employ the techniques used by sammySeltzer above (which'll prevent caching) as well as disabling auto-complete and also managing your session times. if you have highly confidential data, you may consider lowering your session time from the default of 15 minutes to 10 or even 5.

you may also consider having a password policy in place where it needs to change every x number of days...
0
 
mig1980Author Commented:
Thank you all. Big Monty, great comments. All that you suggested outside of the additions sammySeltzer mentioned are begin developed and implemented as well (stronger passwords, routine changes, changing session time).

I am looking at Developing a proof of concept to review in the next few weeks. I will attempt to leverage the code by sammySeltzer and see if it works out.

I will circle back with my comments after testing (in a few weeks). In the meantime, if anyone else has a different suggestion, please let me know.
0
 
Scott Fell, EE MVEDeveloperCommented:
I like the idea of autocomplete=off.  The other side of the argument is it may hinder password managers and using a password manager to store complex passwords could be more beneficial than a password like "dogsname1".  

My own bank uses autocomplete="off"  

I have to log in and log out of a lot of web apps during he day. Many for projects I work on where I am giving demos. It would be embarrassing if multiple usernames showed up or password is prefilled in.

I am not crazy about google storing all the usernames I use.  I suppose it is helpful to some.    Otherwise, I concur you ultimately can't control the client and only can make it somewhat difficult.
0
 
mig1980Author Commented:
The above worked great everyone. We ended up deploying both ideas from sammySeltzer and Big Monty


Thank you
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now