Autocomplete deactivation

Autocomplete is a browser feature, which remembers submitted user names in sign-in forms and also all words submitted through any forms in the system. This page focuses only on the autocomplete functionality in the administration sign-in form.

When users try to sign in using a form, the autocomplete feature provides them with a list of already remembered user names. This is convenient for the users in many ways:

  • The users do not have to type the whole user name every time they want to sign in.
  • If the users forget their user names, this feature can help them sign in.
  • It reduces the discomfort of having to type the user names repeatedly on mobile devices.

However, using the autocomplete can pose a security risk. A malicious user who obtains user names from the autocomplete feature may gain access to the user accounts, for example, using a dictionary attack. Thus, you should always consider the damage a malicious user could do. This threat mainly depends on the type of application you are creating and how this application will be used (on private computers only or in public places like schools, libraries, etc.).

You should disable autocomplete in applications working with:

  • Bank accounts
  • Social media
  • Sensitive information

Disabling autocomplete

To disable autocomplete in the sign-in form for the Xperience administration interface:

  1. Open the Settingsapplication.
  2. Select the Security & Membership -> Protection category in the settings tree.
  3. Clear the Enable Autocomplete check box.
  4. Click Save.

Note: With autocomplete disabled, the system generates the autocomplete=“Off” attribute for username inputs in the administration sign-in form. However, handling of the attribute depends on individual browsers, configurations, used plugins, etc. Some client configurations and applications may use autocomplete features even when the attribute is set to off.