[PHP] html and password management

Mon, 25 May 2009 02:41:19 -0700 

I'm working on the user registration part of my site.
User registration works fine, but there's an oddity with password management. 

The use I registered is username: someone

After logging in, I told firefox to save the username and password.

I then went to the UserPrefs page to test both e-mail and password change.

http://www.clfsrpm.net/someone.png
FireFox for some reason auto-filled in the username in the verify e-mail field for the Update E-Mail Address form.
Even though the form requires valid login to even see, for security reasons I want valid password entered. I don't mind the auto-filling in of the password by firefox, I do mind that it decided to put the login name in the field before it. 

Here's the html for that form:

<h2>Account Settings</h2>
      <form id="formemail" method="post" action="UserPrefs">
        <fieldset id="fieldsetemail" class="leftFloat">
          <legend>Update E-Mail Address</legend>
<p><strong>NOTE</strong>: Updating your e-mail address will result in a temporarily disabled account until your new e-mail address has been validated.</p> 
          <div id="divemail" class="formFloat">
            <p>
              <label for="email">New E-Mail</label>
              <br/>
              <input type="text" id="email" name="email" size="64"/>
            </p>

            <p>
              <label for="vemail">Verify New E-Mail</label>
              <br/>
              <input type="text" id="vemail" name="vemail" size="64"/>
            </p>
          </div>
          <div id="divemailpassword" class="formFloat">
            <p>

              <label>Enter Current Password</label>
              <br/>
<input type="password" id="emailpassword" name="password" size="20"/> 
            </p>
          </div>
        </fieldset>
        <div id="email_submit" class="formFloat">
          <input type="hidden" name="ptoken" value="*snip*"/>

          <input type="submit" id="imail" name="imail" value="Submit"/>
        </div>
      </form>

The id for the input it is incorrectly auto-filling is vemail.
Is there a way to flag firefox not to autofill the username for that form? I thought it would be smart enough not to because the field name/id is different than the login field id/name but apparantly not.
Furthermore, when testing the e-mail change, FireFox asked if I wanted to save the password. I said yet to see what happens - and now it has the e-mail stored as a possible username for the site, which is blatently wrong. There must be a way to disable it.
I suppose I could remove the password field from the form, and upon submit - then ask for password verification on a different form, but that seems kind of sucky. 


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to