login: Send 401 to signal browser not to save creds

a99b9ce8 · Jared Hancock · c9aa00f5 · a99b9ce8 · a99b9ce8 · a99b9ce8
Commit a99b9ce8 authored 9 years ago by Jared Hancock
--- a/include/class.http.php
+++ b/include/class.http.php
@@ -32,7 +32,7 @@ class Http {
        endswitch;
    }
-    function response($code,$content,$contentType='text/html',$charset='UTF-8') {
+    function response($code,$content=false,$contentType='text/html',$charset='UTF-8') {
        header('HTTP/1.1 '.Http::header_code_verbose($code));
 		header('Status: '.Http::header_code_verbose($code)."\r\n");

--- a/include/staff/login.tpl.php
+++ b/include/staff/login.tpl.php
@@ -14,7 +14,7 @@ $info = ($_POST && $errors)?Format::htmlchars($_POST):array();
    </a></h1>
    <h3><?php echo Format::htmlchars($msg); ?></h3>
    <div class="banner"><small><?php echo ($content) ? Format::display($content->getLocalBody()) : ''; ?></small></div>
-    <form action="login.php" method="post">
+    <form action="login.php" method="post" id="login">
        <?php csrf_token(); ?>
        <input type="hidden" name="do" value="scplogin">
        <fieldset>

--- a/login.php
+++ b/login.php
@@ -122,6 +122,11 @@ if (!$nav) {
    $nav = new UserNav();
    $nav->setActiveNav('status');
 }
+// Browsers shouldn't suggest saving that username/password
+Http::response(401);
+header('WWW-Authenticate: html-form id=clientLogin');
 require CLIENTINC_DIR.'header.inc.php';
 require CLIENTINC_DIR.$inc;
 require CLIENTINC_DIR.'footer.inc.php';

--- a/scp/login.php
+++ b/scp/login.php
@@ -70,6 +70,10 @@ elseif (!$thisstaff || !($thisstaff->getId() || $thisstaff->isValid())) {
       @header("Location: $dest");
 }
+// Browsers shouldn't suggest saving that username/password
+Http::response(401);
+header('WWW-Authenticate: html-form id=login');
 define("OSTSCPINC",TRUE); //Make includes happy!
 include_once(INCLUDE_DIR.'staff/login.tpl.php');
 ?>