Prevent certain fields from being saved in Session::ORIGINAL_VALUES

[joshmcrae]

Description

When returning an Invalid response, the original request body is saved to Session::ORIGINAL_VALUES and persisted to session storage. This means plaintext passwords and potentially other sensitive information are being stored on the filesystem or in the database.

It would be useful to control this in some way, potentially through a validation attribute or some other config which omits a field from being repopulated when a form submission fails.

Benefits

• Sensitive data is not stored in session storage
• Users can be forced to re-enter certain fields when validation fails