Looking for easiest way to turn off autocomplete for admin login prompt

[gRegor]

We have a site that is having some security scans run and they want us to disable autocomplete on the username/password field for the ProcessWire login form, using the autocomplete="off" attribute.

I see that buildLoginForm is hookable, but would prefer to avoid rebuilding the entire form. Is there another hook (or simpler way that I'm forgetting) to target those two input fields and add the attribute?

I may also just manually update the core file and make a note to re-apply it when we update PW, but fingers crossed there's a simpler way I'm missing. Depending on the results of this thread, I might file a feature request to make it a configurable option.

Thanks for any help!

[gRegor]

Hooking after that method wasn't as bad as I was thinking, so this is my current quick solution:

wire()->addHookAfter('ProcessLogin::buildLoginForm', function(HookEvent $event) {
    $form = $event->return;
    $form->get('login_name')->attr('autocomplete', 'off');
    $form->get('login_pass')->attr('autocomplete', 'off');
    $event->return = $form;
});

 

[gRegor]

I also learned that this mostly doesn't matter in modern browsers, since they'll ignore it. But hey, this security scan will pass now! 🤣

[adrian]

It might be ugly and not recommended, but I set the autocomplete value to a uniqid() value and it seems to work to actually prevent browsers autocompleting fields.