How to Disable AutoComplete for Password in Form Based Authentication
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
The following browsers have removed support for the use of autocomplete="off"
Apple Safari 6.1.6 (OS X 10.7)
Google Chrome 41+
Microsoft Edge
Microsoft Internet Explorer 11+
Mozilla Firefox 30+
As this is a design choice made by the browser's authors, there is no current work around available. We have a suggestion in place to have an option to autocomplete the username and password from the front end.
If you are using Google chrome to access Confluence then you can use Fill out forms automatically.
and if you are using Firefox then you refer to the page Control whether Firefox automatically fills in forms
❗ The information in this page relates to customizations in Confluence. Consequently, Atlassian Support cannot guarantee to provide any support for the steps described on this page as customizations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.
Also, please be aware that customizations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.
Disabling AutoComplete for Username and Password in Form-Based Authentication is crucial in environments where computers are shared. This helps prevent potential security vulnerabilities.
A feature request, CONFSERVER-54157, was submitted to address this issue. However, it was marked as "won't fix" because modern browsers have mitigated this concern by generally ignoring autocomplete hints, classifying it as a false positive vulnerability.
Environment
Confluence Data Center Versions 7.x, 8.x
Solution
⚠️PLEASE READ: As with all recommendations made by Atlassian Support, please follow best practices for Change Management and make sure to test and validate these steps in a lower environment (staging, development, testing, etc) prior to rolling any changes into a Production environment, and only after backing up your system and data. This is to validate these changes and ensure that they will function well within your infrastructure prior to placing them in production.
Also, this is categorized as customizations in Confluence. Consequently, Atlassian Support cannot guarantee to provide any support for the steps described on this page as customizations are not covered under Atlassian Support Offering. This is provided as a best effort from the Support Team.
Finally, please be aware that customizations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.
It is possible to modify the login.vm file (Customising the Login Page) so that the os_password input box contains the attribute autocomplete="off".
Shut down your Confluence server.
Locate the
login.vmfile in the Confluence installation directory underconfluence/login.vm.Make a backup copy of this file.
Open the file in a text editor to make the necessary changes. The file contains a mix of HTML and Velocity script. Refer to the Velocity Template Overview (in our developer documentation).
1
2
3
4
#spassword("label='password.accesskey'"
"name='os_password'"
"placeholder=$i18n.getText('password.name')"
"autocomplete='off'")5. Start Confluence and test your changes.
Was this helpful?