Make autocomplete on the login form optional.

2 files changed, 21 insertions, 2 deletions

diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc
index 9655d79..d64d1cc 100644
--- a/etc/inc/authgui.inc
+++ b/etc/inc/authgui.inc
@@ -226,8 +226,9 @@ if($config['virtualip'])
 					$nifty_background = "#999";
 					print_info_box(gettext("You are accessing this router by an IP address not configured locally, which may be forwarded by NAT or other means. <br/><br/>If you did not setup this forwarding, you may be the target of a man-in-the-middle attack.")); 
 				}
+				$noautocomplete = isset($config['system']['webgui']['noautocomplete']) ? 'autocomplete="off"' : '';
 			?>
-			<form id="iform" name="login_iform" method="post" action="<?=$_SERVER['SCRIPT_NAME'];?>">
+			<form id="iform" name="login_iform" method="post" <?= $noautocomplete ?> action="<?=$_SERVER['SCRIPT_NAME'];?>">
 				<h1></h1>
 				<div id="inputerrors"><?=$_SESSION['Login_Error'];?></div>
 				<p>
diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php
index 9f8b2d7..601bb8e 100644
--- a/usr/local/www/system_advanced_admin.php
+++ b/usr/local/www/system_advanced_admin.php
@@ -57,6 +57,7 @@ $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
 $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
 $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
 $pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
+$pconfig['noautocomplete'] = isset($config['system']['webgui']['noautocomplete']);
 $pconfig['althostnames'] = $config['system']['webgui']['althostnames'];
 $pconfig['enableserial'] = $config['system']['enableserial'];
 $pconfig['enablesshd'] = $config['system']['enablesshd'];
@@ -152,6 +153,11 @@ if ($_POST) {
 		else
 			unset($config['system']['webgui']['nohttpreferercheck']);
 
+		if ($_POST['noautocomplete'] == "yes")
+			$config['system']['webgui']['noautocomplete'] = true;
+		else
+			unset($config['system']['webgui']['noautocomplete']);
+
 		if ($_POST['althostnames'])
 			$config['system']['webgui']['althostnames'] = $_POST['althostnames'];
 		else
@@ -322,12 +328,24 @@ function prot_change() {
 									<strong><?=gettext("Disable webConfigurator redirect rule"); ?></strong>
 									<br/>
 									<?php echo gettext("When this is unchecked, access to the webConfigurator " .
-									"is always permitted even on port 80, regardless of the listening port configured." .
+									"is always permitted even on port 80, regardless of the listening port configured. " .
 									"Check this box to disable this automatically added redirect rule. ");
 									?>
 								</td>
 							</tr>
 							<tr>
+								<td width="22%" valign="top" class="vncell"><?=gettext("WebGUI Login Autocomplete"); ?></td>
+								<td width="78%" class="vtable">
+									<input name="noautocomplete" type="checkbox" id="noautocomplete" value="yes" <?php if ($pconfig['noautocomplete']) echo "checked"; ?> />
+									<strong><?=gettext("Disable webConfigurator login autocomplete"); ?></strong>
+									<br/>
+									<?php echo gettext("When this is unchecked, login credentials for the webConfigurator " .
+									"may be saved by the browser. While convenient, some security standards require this to be disabled. " .
+									"Check this box to disable autocomplete on the login form so that browsers will not prompt to save credentials (NOTE: Some browsers do not respect this option). ");
+									?>
+								</td>
+							</tr>
+							<tr>
 								<td width="22%" valign="top" class="vncell"><?=gettext("WebGUI login messages"); ?></td>
 								<td width="78%" class="vtable">
 									<input name="quietlogin" type="checkbox" id="quietlogin" value="yes" <?php if ($pconfig['quietlogin']) echo "checked"; ?> />