Disabling Browser's "save password" feature on auth failure

Question

I'm looking for a server-side implementation to disable a browser from saving invalid login credentials. For example, user "foo" logs in with password "bar". Browser asks foo if he wants to save the password. However, foo's password is actually "baz" and therefor would be saving the incorrect password.

I've tried manipulating the HTTP codes, such as sending HTTP/1.1 401, but without success.

This is NOT solved by adding "autocomplete" to the form, as this prevents any saving (even valid).

Server backend is PHP.

Answer 1

I don't think you can - that's a browser behaviour.

Closest you could come, is write a Firefox plugin that maybe could intercept the request. But I'm not even sure about that, and it only applies to Firefox. You'd need to look at Chrome, IE, Safari and any other browser you're interested in.

Answer 2

You can't have it dismiss that box if the authentication fails. However, you could have it prevent subsequent fillings of that field on the "Password Failed" page after the initial attempt. Once the page has loaded, manipulate the DOM to remove the text value from the password field if the last login attempt was invalid. It would still display the password on subsequent "fresh" visits to the site, but hopefully the correct password will have been saved by then.

Answer 3

It seems that you are attempting to fix something that is not your job and which you have no control over. As Joel Mueller has stated, Firefox addressed this issue by changing their modal save password dialog to a status bar which allows you to confirm that the password was correct before you save it. If you are experiencing this issue in other browsers then you should submit it as a feature request to the developers of that browser so that the issue can be fixed at their end, which is the only place it needs to be addressed.