From a99b9ce81ed2de174460bff0c74e348fe30408c8 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Mon, 27 Jul 2015 15:24:14 -0500
Subject: [PATCH] login: Send 401 to signal browser not to save creds

---
 include/class.http.php      | 2 +-
 include/staff/login.tpl.php | 2 +-
 login.php                   | 5 +++++
 scp/login.php               | 4 ++++
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/include/class.http.php b/include/class.http.php
index 2fd09a8d7..b2a9738e0 100644
--- a/include/class.http.php
+++ b/include/class.http.php
@@ -32,7 +32,7 @@ class Http {
         endswitch;
     }
 
-    function response($code,$content,$contentType='text/html',$charset='UTF-8') {
+    function response($code,$content=false,$contentType='text/html',$charset='UTF-8') {
 
         header('HTTP/1.1 '.Http::header_code_verbose($code));
 		header('Status: '.Http::header_code_verbose($code)."\r\n");
diff --git a/include/staff/login.tpl.php b/include/staff/login.tpl.php
index 6319d289b..fdf4c7afb 100644
--- a/include/staff/login.tpl.php
+++ b/include/staff/login.tpl.php
@@ -14,7 +14,7 @@ $info = ($_POST && $errors)?Format::htmlchars($_POST):array();
     </a></h1>
     <h3><?php echo Format::htmlchars($msg); ?></h3>
     <div class="banner"><small><?php echo ($content) ? Format::display($content->getLocalBody()) : ''; ?></small></div>
-    <form action="login.php" method="post">
+    <form action="login.php" method="post" id="login">
         <?php csrf_token(); ?>
         <input type="hidden" name="do" value="scplogin">
         <fieldset>
diff --git a/login.php b/login.php
index 7971e1074..a1ec62245 100644
--- a/login.php
+++ b/login.php
@@ -122,6 +122,11 @@ if (!$nav) {
     $nav = new UserNav();
     $nav->setActiveNav('status');
 }
+
+// Browsers shouldn't suggest saving that username/password
+Http::response(401);
+header('WWW-Authenticate: html-form id=clientLogin');
+
 require CLIENTINC_DIR.'header.inc.php';
 require CLIENTINC_DIR.$inc;
 require CLIENTINC_DIR.'footer.inc.php';
diff --git a/scp/login.php b/scp/login.php
index 6655239c2..f0da8319e 100644
--- a/scp/login.php
+++ b/scp/login.php
@@ -70,6 +70,10 @@ elseif (!$thisstaff || !($thisstaff->getId() || $thisstaff->isValid())) {
        @header("Location: $dest");
 }
 
+// Browsers shouldn't suggest saving that username/password
+Http::response(401);
+header('WWW-Authenticate: html-form id=login');
+
 define("OSTSCPINC",TRUE); //Make includes happy!
 include_once(INCLUDE_DIR.'staff/login.tpl.php');
 ?>
-- 
GitLab