Security: Add configuration setting 'security_login_autocomplete_disable' to set autocomplete attribute of both login and password to "new-password" - refs BT#21289

Author: ywarnier

main/inc/lib/template.lib.php

@@ -1226,6 +1226,9 @@ public static function displayLoginForm()
             'icon' => 'user fa-fw',
             'placeholder' => get_lang('UserName'),
         ];
+        if (api_get_configuration_value('security_login_autocomplete_disable') === true) {
+            $params['autocomplete'] = 'new-password';
+        }
         $browserAutoCapitalize = false;
         // Avoid showing the autocapitalize option if the browser doesn't
         // support it: this attribute is against the HTML5 standard
@@ -1244,6 +1247,9 @@ public static function displayLoginForm()
             'icon' => 'lock fa-fw',
             'placeholder' => get_lang('Pass'),
         ];
+        if (api_get_configuration_value('security_login_autocomplete_disable') === true) {
+            $params['autocomplete'] = 'new-password';
+        }
         if ($browserAutoCapitalize) {
             $params['autocapitalize'] = 'none';
         }

main/install/configuration.dist.php

@@ -2515,3 +2515,9 @@
 // If this feature is enabled on an existing portal, the registration date of users will be taken as
 // the latest password change date.
 //$_configuration['security_password_rotate_days'] = 90;
+
+// Prevent login/pass cache by browser
+// If enabled, users' browsers will not be able to re-use previous
+// login/passwords in the main login form. Browsers might choose not to
+// support this feature.
+//$_configuration['security_login_autocomplete_disable'] = false;