credit card security issue

[tone2]

Hi,
I have just had a customer raise security concerns over our Zen Cart web site. She noticed that the credit card info is stored by the browser. She was surprised to find that when placing a repeat order that her cc number automatically 'popped up' in the cc box on the order payments page.

I have confirmed that this does in fact happen (using FireFox). And the scary thing is that even if I log in as a different user, the same cc number pops up in the box (You have to type the first digit, then the drop down appears with the full cc number).

I will try and fix this myself, but would appreciate any comments or help.

Using Zen Cart 1.3.8a

Tony

[kuroi]

This isn't being stored by Zen Cart, but by her browser. The autocomplete function is built into Firefox and also come with the Google Toolbar. So it's her browser that's storing the information and re-inserting it.

Theoretically site's shouldn't interfere with the choices that users make for their browser settings (even if they are defaults and they don't know they've made them). So the standards authorities haven't provided a way to do so.

However, IE and Mozilla have slipped some non-standard features into their browsers, so that adding autocomplete="off" to the credit card fields input will disable the facility, though it will also cause the page to fail validation, though in this case that's probably acceptable.