Do browsers support autocomplete for ajax loaded login forms at all?

Autocomplete, in Firefox at least, triggers during page load. Adding the content afterwards would miss the window of opportunity A login form is tiny. I'd include it in the page from the outset and consider hiding it with CSS until it is wanted.

Autocomplete, in Firefox at least, triggers during page load. Adding the content afterwards would miss the window of opportunity. A login form is tiny.

I'd include it in the page from the outset and consider hiding it with CSS until it is wanted.

Thanks, now the login form is static and only its visibility is toggled. Works like a charm. – sibidiba Feb 20 '10 at 2:07 To completely hide the form and its footprint, add a style attribute (or equivalent class) directly to a div that contains the form and other elements that also sets the position as absolute: .

– Jean Vincent Jan 8 at 13:29.

In case it helps, msdn says (towards the bottom of the page): Note: if both of the following conditions are true: The page was delivered over HTTPS The page was delivered with headers or a META tag that prevents caching ...the Autocomplete feature is disabled, regardless of the existence or value of the Autocomplete attribute. This remark applies to IE5, IE6, IE7, and IE8. I've emboldened the interesting bit..

This is not the case, and in does not work in FF either. The username/password submission is recognized, I'm prompted whether I want to save the data (both IE&FF). And if I list them, they do appear correctly in the browser's saved password list for the correct site.

They are "just" not entered into the form. – sibidiba Feb 15 '10 at 17:42 @sibidiba - I would try name="password" and name="username for those input elements to see if that makes a difference. – karim79 Feb 15 '10 at 17:56 Tried it, behavior remains the same.

– sibidiba Feb 15 '10 at 18:54 @sibidiba - I'm all out of ideas. I'll leave my answer here for while before deleting, in case anyone else has the same idea. Sorry to have been of limited help :( – karim79 Feb 15 '10 at 19:00 Thanks anyway!

– sibidiba Feb 15 '10 at 19:12.

I don't think you can get the form autocomplete to work if you load the form via ajax (security-wise I don't know if it can be really be abused or not, but the fact that a script could start loading fields into the page to see what data gets inserted doesn't look too good to me). If you can, the best option would be to add a conditional block to the php file and include the form or not depending on whether the user is logged or not. If for some reason you can't do that, you might want to try to do a document.write() instead of the ajax call (and yes, using document.

Write is ugly :).

1 Your arguments about security are well placed. But couldn't you steal information the same way without AJAX forms? Tying the form to a condition in PHP isn't a solution for me, because I need the form to be changed without page reload.

Consider a site like stackoverflow, you start typing a question and realize, that you need to registered or log in. I want to allow visitors to register or log in without navigating away. – sibidiba Feb 19 '10 at 9:47 The thing with AJAX forms is that the javascript might come from a different source from the HTML (Cross-site scripting).

If you logout from here you will find that stackoverflow does include the login form if you are not logged in. As most other websites that I've found, it just adds the user and password fields to the comment form, so that you can comment and login at the same time. Another solution that you could try would be to include the form with the page (hidden), and show it with jQuery, instead of loading it with an Ajax call.

– salgiza Feb 19 '10 at 10:21 This could fall under xss and something like click hijacking, hence javascripts security restrictions might apply. What if another domains script could generate a look-a-like form and place it above the original form? The other domain would recieve the un/pw.

– anddoutoi Feb 19 '10 at 11:03 What I do not understand, that if this is a security issue, then why not with normal, static forms as well? A script loaded from different domain could read the value of a password field of a static form that is autocompleted the same way (but of course could not load any form, I see). – sibidiba Feb 19 '10 at 2:14 @sibida.As I think you mention in your last comment, the problem is that you could make a mass creation of inputs in a page (imagine creating fields not only like "login" and "password", but things like "address", "phone number", and anything that the browser might autocomplete).

I do agree, however, that it is pretty silly that it doesn't autocomplete the fields when you actually start typing in them, regardless of how they were created! – salgiza Feb 19 '10 at 9:46.

I see case when login form has to be pulled with ajax - if rest of the website loads as static html (cache). Login form (or authed user info) cant be displayed statically. So your solution is to pull the form right after declaration (end tag) of the DOM element that serves as parent element for ajax-pulled loginform's html.

Like (html tags replaced with ): div id="loginforms_parent"/divscript language="javascript"/ajax request and insert into DOM//script And browser has the form in DOM onLoad. Tested, firefox does autocomplete in that case.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.