Privacy Violation :Autocomplete:Remediation Technique

Document ID:  TEC1779626
Last Modified Date:  08/08/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.5
  • CA Single Sign-On:Release:12.51
  • CA Single Sign-On:Release:12.51 CA SiteMinder
  • CA Single Sign-On:Release:12.52
  • CA Single Sign-On:Release:12.52 CA SiteMinder
  • CA Single Sign-On:Release:12.52 SP1
  • CA Single Sign-On:Release:12.52 SP2
  • CA Single Sign-On:Release:12.6
  • CA Single Sign-On:Release:12.6.1

Components

  • SITEMINDER -WEB AGENT FOR APACHE:SMAPC
  • SITEMINDER -WEB AGENT FOR IIS:SMIIS
Introduction:

How to configure CA SSO forms to disable Autocomplete of the input fields?

Background:

Most recent browsers have features that will save form field content entered by users and then automatically complete form entry the next time the fields are encountered. This feature is enabled by default and could leak sensitive information since it is stored on the hard drive of the user. The risk of this issue is greatly increased if users are accessing the application from a shared environment. Recommendations include setting autocomplete to ""off"" on all your forms.

 

 

Environment:
Web Agent : ANY
Instructions:

To mitigate this vulnerability, you will need to use Secure HTML Forms.

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes/configure-html-forms-authentication

 

Use Secure HTML Forms Authentication Templates 
The Secure HTML forms authentication templates differ from the standard versions in the following ways:

  • Secure versions do not display the username in returned messages
  • Secure versions include a Logout hyperlink in the top right side corner of the form template which logs out the user and redirects them to the custom logoff page
  • Autocomplete is turned off for all text fields in secure versions


Default secure template files which you can customize are located in the following directories:

  • Windows: webagent\secureforms
  • UNIX: webagent/secureforms


To use the secure versions of the HTML forms authentication templates, copy the files from the secureforms directory to the following location, replacing the standard versions there:

  • Windows: webagent\samples\forms
  • UNIX: webagent/samples/forms


A set of secure forms for the US English (en-US) locale is also available in the following directories:

  • Windows: webagent\secureforms_en-US
  • UNIX: webagent/secureforms_en-US

 

To use the secure versions of the US English locale forms, copy the files from the secureforms_en-US directory to the following location, replacing the standard versions there:

  • Windows: webagent\samples\forms_en-US
  • UNIX: webagent/samples/forms_en-US

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >