Tuesday, August 01, 2006

Password-storage-busting

Firefox and Internet Explorer store passwords if you want them to. I'm sure other browsers do too, but the big two do.

However, there are times you don't want people auto logged in - sometimes it's unwise. You want to prevent this. (Nevermind that help desk bans password storage like this, that doesn't matter when it's not followed)

So, how do you fix this, with Struts + JSP + JSTL, in a cross platform way?

Let's explore the options:
1. Turn autocomplete off. This is a non-standard (non html-4.01) attribute. Struts doesn't want to pass it through - it's not XHTML. So I can't just do:
<html:form autocomplete="off">

2. Ok, let's try Javascript. Let's say
form.password.value = "";
This legitimately blanks the password field on load - however, when the user's cursor enters the password field, it pulls the password from the browser and automatically enters it for the user.

3. Howabout trying
<input type="password" autocomplete="off">
This is supposed to do the trick. It, upon my testing, does nothing about preventing password storage in Firefox 1.5.

4. Now how about the option I liked the best: Having the following in your jsp:
<jsp:useBean id="now" class="java.util.Date" scope="request"/>
<c:set var="nowInt" value="${now.time}" scope="page"/>
<input type="text" name="username/">
<input type="password" name="password<c:out value="${nowInt}"/>"/>
<input type="hidden" name="salt" value="<c:out value="${nowInt}"/>">

On the backend, you do:

String salt = (String) PropertyUtils.getSimpleProperty("salt");
String username = (String) PropertyUtils.getSimpleProperty("username");
String password = (String) PropertyUtils.getSimpleProperty("password" + salt);

Unfortunately, this doesn't work. strut's config doesn't allow a dynamically named form element name. It works on the frontend, no password is ever stored, across any browser. Close, but not working on the backend.

4a. The final solution works! We use the same frontend from 4, and we ignore Struts to get what we want.

String salt = (String) PropertyUtils.getSimpleProperty("salt");
String username = (String) PropertyUtils.getSimpleProperty("username");
String password = (String) request.getProperty("password" + salt);
verify(username, password);


Basically, Struts sometimes is useful. It makes everything we do regular. But sometimes it gets in my way. However, this is the solution I liked in the first place, it just took beating struts into submission.

2 comments:

Anonymous said...

Hi Matt,

try using the html:password struts tag!
http://struts.apache.org/1.3.5/struts-taglib/tagreference.html#password

Regards,
Tim

Matt said...

Tim,

html:password doesn't prevent the broswer from storing the password. That's what we were using.