formr icon indicating copy to clipboard operation
formr copied to clipboard
verified publisher icon formr

Honeypot browser autofill with a false "password" variable has side effects

Open ruifcastro opened this issue 3 years ago • 2 comments

Just found a side effect with honeypots, in my case I use a false "password" field: $form->honeypot = 'password';

If the user saves the information (Edge seems to be saving automatically), a password manager of the browser will try to autofill this field.

This only happens in forms where is use $form->password( function of formr. Doesn't happen in normal forms with out the password type <input type="password"

The password field seems to be something the browsers look for to autofill them.

With many tests the only thing that made the browser stop filling the false "password" field was to do this, add autocomplete="new-password" to the field:

$form->password('senhaNova','Senha Nova: ','','','autocomplete="new-password"');

My suggestion is a new function like:

$form->newpassword('senhaNova','Senha Nova: ');

Which would always insert the 'autocomplete="new-password"' html code. This also has another effect, which lets the browser add a suggest password option.

Do as you wish. I have fixed it with this $form->password('senhaNova','Senha Nova: ','','','autocomplete="new-password"');.

This is my full form (i added 'autocomplete="off"' to the form, but doesn't seem to do anything):

@php
	$form->open('','',"?tputil={$tputil}&lang={$lang}", '', 'autocomplete="off"');
	$form->csrf();
	$form->required = '*';
	$form->required_indicator = '*';
        $form->honeypot('password');
	$form->password('senhaNova','Senha Nova: ','','','autocomplete="new-password"');
	$form->password('confirmarSenha','Confirmar a Senha: ','','','autocomplete="new-password"');
	$form->hidden('CdVerificacao',$CdVerificacao);
	$form->hidden('token',$token);
	$form->hidden('tresLetrasDaContaAD',$tresLetrasDaContaAD);
	$form->hidden('ContaAD',$contaad);
	$form->hidden('nome',$nome);
	$form->hidden('comprimentoDaPassword',$comprimentoDaPassword);
	$form->submit_button('Alterar');
	$form->messages();
	$form->form_close();
@endphp

ruifcastro avatar Jun 29 '22 10:06 ruifcastro

I'll think about it; thanks for the suggestion. :)

timgavin avatar Jun 29 '22 15:06 timgavin

The best solution would be to add something to the honeypot html code, but I could not find a workable solution (i did try autocomplete="off"). I did find some crazy CSS pixel tricks, but I didn't test them out.

The browser password manager will always fill it out if it has something saved in its database.

But anyway, like I said, the 'autocomplete="new-password"' does still help the browser suggest a good password (right click on text box) which is a great feature to have for a new password field.

Thx anyway. Keep up the great work.

ruifcastro avatar Jun 29 '22 15:06 ruifcastro