May 04, 2012

DotNetNuke Login and Auto Complete - How to Cope

Recently I have been getting a lot of questions regarding the DotNetNuke login and why when you go to login that "auto complete" is disabled on the username/password fields.  The typical follow-up question to that is "how can I change that behavior".  So after answering this question individually around 5-6 times I though it would be best to get this out here, at least my opinion on the issue.

Why Is Auto Complete Disabled?

Over the last 2-3 years when the initial change was made to the DotNetNuke core this question has been asked in many different forums and the answers are mostly the same, Security.  With auto-complete enabled on login controls it is easily possible for a users credentials to be stored on a public machine or other shared system and other users can gain access to their accounts.  For most people this is a security risk that you just don't want to take, at least with administrator user accounts. 

Granted user education can help to minimize this risk, but it is still there even with people that are very vigilant with their browsing habits.  Yes it is a pain to re-type your account information, but the security benefits are typically worth it.  The next most common question I get from people is:

How Is It Disabled In The Core?

This one is actually quite tricky as you would think you could quickly circumvent this limitation of the core by creating a custom authentication provider that mimics the functionality of the core one.  Well, if you built the form like most people do with common control names you will find that your custom provider is also modified to disable auto complete.

This is because in /DesktopModules/Admin/Authentication/login.ascx which is the control that loads the authentication providers it does a search for any controls named "txtUsername" and "txtPassword".  If they are found autocomplete=false is added to the control definition.  This then typically leads to:

How Can I Bypass This?

If you are dead set on bypassing this functionality you can modify the core code with any text/editor, no re-compile is needed.  Within the file referenced above, look for the following code snippet (Around line 440):

   1:  var username = loginControl.FindControl("txtUsername") as WebControl;
   2:  if (username != null)
   3:  {
   4:      username.Attributes.Add("AUTOCOMPLETE", "off");
   5:  }
   6:  var password = loginControl.FindControl("txtPassword") as WebControl;
   7:  if (password != null)
   8:  {
   9:      password.Attributes.Add("AUTOCOMPLETE", "off");
  10:  }

Simply comment out all of these lines of code by adding // before each line.In the end this will change the code to look like the following:

   1:  //var username = loginControl.FindControl("txtUsername") as WebControl;
   2:  //if (username != null)
   3:  //{
   4:  //    username.Attributes.Add("AUTOCOMPLETE", "off");
   5:  //}
   6:  //var password = loginControl.FindControl("txtPassword") as WebControl;
   7:  //if (password != null)
   8:  //{
   9:  //    password.Attributes.Add("AUTOCOMPLETE", "off");
  10:  //}

Now when you go to the login page if you have your browser configured to remember logins it will properly remember your information.

My Thoughts On This

I would just like to end with my thoughts on the matter.  As much as I know from a usability it is "nice" to have your login information remembered with the dynamic and configurable nature of DotNetNuke I feel that the risks outweigh the benefits.  If you insist on this functionality I would strongly recommend only enabling it for usernames.  This still could expose a malicious user to helpful information but at least you are not handing over the keys to the castle.

I hope this article was helpful, feel free to share your comments below.

tags: DNN, DNN Administration
comments powered by Disqus

Content provided in this blog is provided "AS-IS" and the information should be used at your own discretion.  The thoughts and opinions expressed are the personal thoughts of Mitchel Sellers and do not reflect the opinions of his employer.

Content Copyright

Content in this blog is copyright protected.  Re-publishing on other websites is allowed as long as proper credit and backlink to the article is provided.  Any other re-publishing or distribution of this content is prohibited without written permission from Mitchel Sellers.