Tell web browser that login failed so it doesn't ask to remember the password

Question

I'm writing a login system for a website, but when the user gets the login credentials wrong the browser (I've tried both Firefox and Chrome) still asks if the user wants to save the password. How can I tell the browser that there was a login failure, so that it knows not to ask the user to save the bad credentials?

I've tried sending HTTP status codes of 403 and 500 (instead of the normal 200), but neither work. Is there a way to do what I want?

P.S. I don't want to use the HTTP 401 authentication mechanism as I want to use an HTML form to login, not some browser dialog box.

Answer 1

Looking at Chrome's Source Code to determine how this works (See OnPasswordFormsRendered), it is doing some heuristics to determine this. The way it appears to be doing this is:

1. User submits a form
2. Wait for the page to finish loading
3. Is the same form still visible? If yes, assume the form is being presented due the an invalid username or password.

When a user logon fails; they should be presented with the same form again. It would seem that your "Logon Failed" screen is too different from your original logon screen for the browser to see they are the same form.

It doesn't appear that HTTP Status Code makes a difference for offering to save the password.

Newer versions of Chrome take in to account the HTTP status code. If the status code is between 400 and 600, then it will not offer to save the password.

The other details are fairly well documented with comments in the same source file.