Privacy Violation :Autocomplete:Remediation Technique

Document ID : KB000010725
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

How to configure CA SSO forms to disable Autocomplete of the input fields?

Background:

Most recent browsers have features that will save form field content entered by users and then automatically complete form entry the next time the fields are encountered. This feature is enabled by default and could leak sensitive information since it is stored on the hard drive of the user. The risk of this issue is greatly increased if users are accessing the application from a shared environment. Recommendations include setting autocomplete to ""off"" on all your forms.

 

 

Environment:
Web Agent : ANY
Instructions:

To mitigate this vulnerability, you will need to use Secure HTML Forms.

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes/configure-html-forms-authentication

 

Use Secure HTML Forms Authentication Templates 
The Secure HTML forms authentication templates differ from the standard versions in the following ways:

  • Secure versions do not display the username in returned messages
  • Secure versions include a Logout hyperlink in the top right side corner of the form template which logs out the user and redirects them to the custom logoff page
  • Autocomplete is turned off for all text fields in secure versions


Default secure template files which you can customize are located in the following directories:

  • Windows: webagent\secureforms
  • UNIX: webagent/secureforms


To use the secure versions of the HTML forms authentication templates, copy the files from the secureforms directory to the following location, replacing the standard versions there:

  • Windows: webagent\samples\forms
  • UNIX: webagent/samples/forms


A set of secure forms for the US English (en-US) locale is also available in the following directories:

  • Windows: webagent\secureforms_en-US
  • UNIX: webagent/secureforms_en-US

 

To use the secure versions of the US English locale forms, copy the files from the secureforms_en-US directory to the following location, replacing the standard versions there:

  • Windows: webagent\samples\forms_en-US
  • UNIX: webagent/samples/forms_en-US