Since Microsoft is pushing Internet Explorer 11 through Windows Update as an important update for Windows 7, a lot of users are starting to use it as their default browser. Also users on Windows 8.1 are already using Internet Explorer 11 by default.
Internet Explorer 11 brought some issues for customers using Netscaler Gateway, for example the login fields in combination with the Green Bubble theme weren’t displayed correctly and this prevented users from logging in correctly. Citrix released new maintenance releases for Netscaler Gateway which will fix this layout issues.
But there is more : Microsoft decided to ignore the Autocomplete=Off setting used by Netscaler Gateway (and a lot of other login pages), this setting tells the browser not to use the store password option and will protect the user from accidently saving their username and password on their machine (or worse a public machine!). Below a screenshot from the login.js file where you can find the autocomplete=off setting on the Netscaler :
Up till Internet Explorer 10 and every other major browser like Chrome and Firefox respect this setting and will not bother the user to store the credentials, but Microsoft decided to ignore this setting (by default!) in IE11 because they want to give this control back to the user, you can read more about it here and here. Below a screenshot of the message users get when logging in through IE11 on Netscaler Gateway :
I think it’s a wrong choice of Microsoft to ignore the autocomplete=off setting, but even more wrong to ignore it by default, because they forget that a lot of people don’t know how to use a password manager wisely and just click OK on every message they see without thinking about the risks. When users click on Yes, everyone with access to their computer can simple hit the first letter of their username and the rest is auto filled so it’s very easy to make abuse of this :
Of course users can always bypass the autocomplete=off setting by installing\enabling a password manager themselves (also in other browsers) but in this way, they are conscious what they are doing. This default setting will put a lot of users (the ones we all know and hit Yes on everything on their way) at risk, without they even know it.
Possible workarounds when using Internet Explorer 11 :
- When machines are managed (through GPO or tools like Thinkiosk) disable Autocomplete in the browser completely or only for certain websites
- Change the password field on the Netscaler Gateway from type Password to type Text, this will prevent autocomplete from kicking in but will lower the security when people are typing in their password
- Don’t allow IE11 : Block the login page from showing (through EPA scan or some code in the index page) and notify the users to use another browser
- Don’t use Receiver for Web \ Netscaler Gateway Portal and only use the native Citrix Receivers
Of course 2-way factor authentication is a life saver here, but the security is already lowered when username and passwords are already stored on the machine. People with bad intentions only need the phone or token as an extra step to get access from a machine with prefilled username and password.
Please let me know if you have other ways to work around this default behaviour of Internet Explorer 11.
8 thoughts on “IE11 ignores Autocomplete=Off setting used by Netscaler Gateway and put users at risk”
There’s another short workaround. Just add the netscaler page to the compatibility mode list in Internet Explorer (Tools -> Compatibility View Settings)
Also good workaround for managed devices, but the risk stays the same for unmanaged devices.
I’ve tested using compatibily mode with out netscaler site. It doesn’t seem to resolve this issue. I’m still being prompted to store my password when using IE 11.
Ya.. don’t know why IE11 compatibility mode didn’t conform the AutoComplete=”off”
Bad News: Safari ist starting to ignore “autocomplete=off” too.
Previous Version says on our page “site does not wish to store user-name and password.
The new Safari Version now asks for saving unser-name and password.
Good News: Mozilla says they dont want to ignore “autocomplete=off”.
Why aren’t more admins up in arms about this? This seems like a huge security risk for many organizations especially when they fall under HIPAA or the likes.
I hadn’t realized that this change had occured until one of our users brought it to my attention that a laptop that is shared with 30 other users had one users credentials in it. Then I helped update the receiver on a home computer and saw it.
I can’t even find a single post on the Citrix forums in regards to this which I find amazing.
I was basically told today, find a fix, if it means don’t support Microsoft IE 11 or later then so be it (and same for any other browser that doesn’t want to play nicely with corporate environments).
All they did with this was hurt the end user imo, now we’re going to have to come up with some other method of access other than the web interface which might not be as easy for them.
We are in the same vote as you Aaron. You found anything?
Nothing good haha. Management made everyone sign a form saying that they won’t save their credentials in the browser. Heh…
I’m sure there is probably a way to detect if the setting is on (autocomplete) and then deny access if it is. That’s outside the ability of our little shop though.