The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Webmail Login Autocomplete

Discussion in 'E-mail Discussions' started by JamieW, Apr 30, 2008.

  1. JamieW

    JamieW Member

    Joined:
    May 15, 2006
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    How do I stop cPanel from putting autocomplete="off" in the webmail login form?

    I have a number of different email accounts, and I don't want to have to type in long email addresses and remember passwords every time I keep switching back and forth checking them with webmail.

    It's very annoying having my own site block me from auto-completing the form. I hate it when yahoo and some other annoying sites do it; I'm not going to have my own domains doing it too.

    So I'm hoping there's an option to disable that, maybe in WHM for the entire site, or at least per-domain if needed.

    --
    Jamie
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    That is done for security purposes (i.e. information disclosure).

    The only way to over ride it is to create a custom theme, or at least a custom version of the webmail login/logout pages.
     
  3. JamieW

    JamieW Member

    Joined:
    May 15, 2006
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Okay, but isn't the whole reason browsers allow saving of passwords is for stuff just like this? The user can always say "no" when it asks if they want that info saved or not.

    Now I can possibly see this as an option, if someone is overly paranoid about it, and allow them to turn it on for their domain. In my opinion though, it should allow saving by default. Why take the control and choice away from the user?

    Otherwise, if this is a legitimate issue, it sounds like browsers shouldn't be able to save passwords at all.

    Though I do thank you for the reply and the pointer. I will try and figure out how to change just the webmail login/logout theme page or however it's done. Though I think I'd rather not do that, as I suspect that means it will keep it from being automatically updated when cpanel is, and I'll have to keep doing manual fixes anytime there's a change.
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The security issues with autocomplete in text fields are unrelated to the browser feature of saving your username+password to provide autologin next time you visit a site. The autocomplete data is not secured at all, allowing anyone else who uses the same computer, with the same login, to access whatever data was saved as part of the text field's autocomplete.

    Consider a couple scenarios:

    1. A public terminal. This could be in a school, a library, an Internet Cafe. This is a computer over which you have very little control.

    2. A home computer. Often these computers have multiple users, but only one login.

    With autocomplete enabled, whatever is typed into a text field is retained by the browser. All the next user must do is access a form you previously accessed, depress the down arrow key and obtain a list of all entries prior users inputed. The way the data is retained for autocomplete purposes is very insecure.

    For example, any form with a text field named 'username' has access to the same autocomplete data. Thus, even if a malicious user doesn't visit the same website as you, if he accesses a form with a similarly named field, he immediately has access to the autocomplete data.

    There are other ways of accessing that data outside the browser, because it is not stored in a secure fashion.

    With all the above said, password fields and text areas do not have autocomplete capabilities, only text fields.

    The auto login capabilities of browsers is very different than the autocomplete feature. Auto Login data is usually encrypted and stored in a manner that makes it only usable on the exact site where it was used originally. Depending upon the browser and login form, this data may seldom be displayed to the user after the initial save.

    Because of the insecure nature of the autocomplete data, we decided to disable it for the login form fields.
     
  5. JamieW

    JamieW Member

    Joined:
    May 15, 2006
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    I agree, data on unsecured terminals like in libraries and such should not be saved in that fashion.

    I'm using Firefox, what I think is a pretty common browser after IE. When the autocomplete="off" is added to the field, it also blocks it from supporting user name and password fill-in for the user too. So disabling one is disabling the other as well. I'm forced to type my user name and passwords every time I switch back and forth between my accounts, even though I'm using mine on a secured machine and account no one else has access to. I just tested this in IE, and it appears to have the same behavior as well (turning auto complete off is disabling user name and password saving / fill-in).

    And in Firefox, not only is form completion data not stored securely, user name and password data is also stored in clear text and viewable right from options section (unless you choose to secure it with a master password, which most don't). I don't know if IE handles it differently or not.

    Firefox places the responsibility of securing the data on the user by not sharing your browser / account access with others you don't trust with that data, or by not saving that data at all.

    In the cases of public terminals, the responsibility for that shouldn't be with every site the user is logging into, but with the admin of that terminal that knows it isn't secure, and they should disable auto-complete, password saving, and all other insecure features in the browser itself, so it can't be used anywhere, not just the limited number of sites that block it.

    If a person chooses to be unsecured with their system at home, that should also be their own responsibility, the same as if you choose to leave your cash sitting on a counter. It shouldn't be someone else's responsibility to make you exercise good sense (such as the government stepping in and saying no one can have cash anymore because it's not secure).

    I'm all for making things more secure for users in unsecured environments. But I don't want that to make it vastly more inconvenient for the majority who aren't in that situation. And if it is something that's going to be enabled, then I at least would like the option of controlling it on my own servers, preferably without having to go a route that's going to be hard to keep my system up to date (meaning manual changes with each new release).

    So yes, sensitive data shouldn't be saved on public terminals, and home users should take steps to protect their data if they don't trust others with it that may have access to their machine. But disabling it in the form for all users on all machines all of the time is not the right solution. It should be handled on a machine by machine basis. Public machines can disable the features for all sites, and virtually all modem home computers allow separate secure accounts.

    Well that's how I see it, at least. I do appreciate the feedback, and hope this will help guide the design to something less inconvenient. I really don't want to have to switch to gmail accounts or something like that for my webmail access, when I have my own server for it. (And Google is a good example: they do not do this, and they're usually pretty smart about web-based systems and security.)
     
  6. LasseTK

    LasseTK Active Member

    Joined:
    Apr 15, 2005
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    This was really frustrating, but I found a solution

    All you need to do is to install your own login theme. In this theme you simply just exclude the autocomplete="off" and it will work :)

    You can use the universal theme manager within WHM to do so. There is a tutorial on how to do this here:

    http://forums.cpanel.net/f8/customize-login-page-74081.html#post346240
     
Loading...

Share This Page