views:

12056

answers:

13

How do you disable Autocomplete in the major browsers for a specific input (or form field)?

+48  A: 
<input type="text" name="foo" autocomplete="off" />

Doesn't that work on major browsers?

nlucaroni
This did not work for me in Firefox 3.0.3 I had to put the autocomplete attribute in the FORM rather than the INPUT.
Winston Fassett
Autocomplete is only defined in the HTML 5 standards, so it will break any validations you run against HTML 4.*...
Jrgns
Works a treat! :)
Nick Josevski
A: 
<form autocomplete="off" ...

was a none standard way to do this (I think mozilla and IE still support it) but messing with the users expectations is normally a bad idea.

If the user enters their credit card details into a form and then let's someone else use that browser it's not your concern :)

sparkes
As far as I remember, most browsers don't use autocomplete even if it is on when doing something over HTTPS.If your users enter their credit card details into a form that will be sent over HTTP, they might have bigger problems than autocomplete.
Nouveau
and it IS your problem if someone gets frauded and blames you because you were the only merchant they gave the card to
Simon_Weaver
A: 

Use a non-standard name and id for the fields, so rather than "name" have "name_". Browsers will then not see it as being the name field. The best part about it is that you can do this to some but not all fields and it will autocomplete some but not all fields.

Teifion
The problem with this is if any other sites use "name_" to achieve the same objective then you're back to square one.
ConroyP
so make it "mysite_name". If anyone else is using that, I'd ask them questions...
Steve Perks
this messes up some of those automatic populating utilities
Simon_Weaver
+16  A: 
<form name="form1" id="form1" method="post" 
autocomplete="off" action="http://www.example.com/form.cgi"&gt;

This will work in IE and FF, the downside is that it is not XHTML standard.

brendan
I've noticed that adding it to the form element doesn't always prevent it from being applied to individual inputs within the form. Therefore it is probably best to place it on the input element directly.
sholsinger
+2  A: 

Just set autocomplete="off". There is a very good reason for doing this: You want to provide your own autocomplete functionality!

I've used this on at least two occasions.

EndangeredMassa
+3  A: 

On a related, or actually, on the completely opposite note - if you're the user of the aforementioned form and want to re-enable the autocomplete functionality, use the 'remember password' bookmarklet from this bookmarklets page. It removes all 'autocomplete="off"' attributes from all forms on the page. Keep fighting the good fight!

Antti Sykäri
A: 

Why would you make your user's life less convenient?

"Passwords / credit card data / etc. should not be saved" is a bad argument: with autocomplete on, browsers in Mac OS X store such values in an encrypted database with per-application permissions. Conversely, what's the realistic effect of autocomplete=off? The user is going to write it in an unencrypted text file, or better yet, on a post-it note attached to the screen.

Good thing there's bookmarklets like the one Antti mentioned, and patches to make the engine ignore the attribute altogether.

Seriously, I urge you to reconsider using this attribute. It does not benefit anyone.

Sören Kuklau
+2  A: 

We did actually use sasb's idea for one site. It was a medical software web app to run a doctor's office. However, many of our clients were surgeons who used lots of different workstations, including semi-public terminals. So, they wanted to make sure that a doctor who doesn't understand the implication of auto-saved passwords or isn't paying attention can't accidentally leave their login info easily accessible. Of course, this was before the idea of private browsing that is starting to be featured in IE8, FF3.1, etc. Even so, many physicians are forced to use old school browsers in hospitals with IT that won't change.

So, we had the login page generate random field names that would only work for that post. Yes, it's less convenient, but it's just hitting the user over the head about not storing login information on public terminals.

Mufasa
+11  A: 

In addition to autocomplete=off, you could also have your form fields names be randomized by the code that generates the page, perhaps by adding some session-specific string to the end of the names. When the form is submitted, you can strip that part off before processing them on the server side. This would prevent the web browser from finding context for your field and also might help prevent XSRF attacks because an attacker wouldn't be able to guess the field names for a form submission.

Ben Combee
+6  A: 

As others have said, the answer is autocomplete="off"

However I think it's worth stating why it's a good idea to use this in certain cases as some answers to this and duplicate questions have suggested it's better not to turn if off.

Stopping browsers storing credit card numbers shouldn't be left to users. Too many users won't even realise it's a problem.

It's particularly important to turn it off on fields for credit card security codes. As this page states

"Never store the security code ... its value depends on the presumption that the only way to supply it is to read it from the physical credit card, proving that the person supplying it actually holds the card."

The problem is, if it's a public computer (cyber cafe, library etc) it's then easy for other users to steal your card details, and even on your own machine a malicious website could steal autocomplete data.

Sam Hasler
if i went to a site and it remembered my card in the dropdown i'd be very unhappy. id start to wonder how they could be so careless.
Simon_Weaver
@Simon the annoying thing is you'll only realise it's happened if you revisit the site, and by then it could already be too late.
Sam Hasler
A: 

@Sören Kuklau don't be so narrow minded about this.... for example, on a captcha form field, you don't want the browser to remember the version

Also, having a browser remember form values is a classic way of ending up with bad (automcomplete remembered) data entry through this. There are times this is really useful, but it can also cause problems like this.

zac spitzer
A: 

One more usage includes administration forms to create or edit users; you don't want the form pre-filled with your current credentials.

This also applies to password change forms, esp. those designed as leave blank to keep current password.

Álvaro G. Vicario
A: 

In some systems where testers have to manually enter a lot of information over and over it might be useful to have the option as configurable so that when testing you can disable it and just hit 'tab > down arrow > tab > down arrow etc...'

Simon_Weaver