We have noticed that the mobile app does not clear username password on exit. therefore, when the user reenters the app (or another user picks up the same unit) the username/password is still populated. We would like it cleared on exit?
It’s your browser that is storing the username and password (just like any other username and password field on any other website).
We are already including
autocomplete=off attributes on the elements, so we’ll have to look into whether there’s more we can do to try and tell browsers not to allow saving the values.
That’s really unfriendly to modern password best practices – namely, to use a password manager so one only has to remember the password manager’s encryption passphrase.
Yeah, it’s tricky. I agree with you about using password managers, but imagine any kind of shared workstation or tablet or even a phone that isn’t shared but someone gets their hands on it - should a stranger be able to log in to your HMI project because an operator wasn’t trained not to save the password when every browser out there will ask you to save it?
Any shared workstation should be using a native client launcher – no browser at all. I would argue that the mobile module is unsecurable for shared use – for precisely the reason you point out. Mobile devices are made for sole users – architected that way through and through – and cannot be made secure for multiples.
I thought at least android supports multiple user accounts?
Granted I’ve never had to use it…
Thanks for your response.
I don’t really think this is the issue (demonstration below, in private mode on Firefox). Is it possible that the underlying Java client is not clearing the fields when the exit/logout button is pressed?
FWIW, we have password storage disabled on the devices browser (again, I think this issue is unrelated).
This does look like something else - we’ll look into it.
I remember it being announced, and being default disabled. I just played with my Nexus 6P and though it doesn’t show user management where it is supposed to, a long-press on the admin user (me) in Settings popped up another menu. And lo, there’s the Add User option. So it is possible, at least on selected devices.