Why is the Internet Explorer Autocomplete feature disabled for all html forms on my website?

Question

When Internet Explorers AutoComplete is turned on for Forms the entries for each field in the HTML form should be cached and displayed as a prompt when the user starts enter

Answer 1

I have determined that the problem is related to the Cache-Headers PHP sends out when the start_session() command is issued and the site is running SSL.

I have been able to get a hold of a person on the IE security team at Microsoft and they have confirmed that this is how IE is supposed to work. Here is a direct quote from the email.

"This is considered a feature of the autocomplete system. Significant code was written to make it behave this way."

When session_start(); is issued the default http headers php sends out are a no-cache header. Here is another quote from the Microsoft representitive.

If a secure page says "Don't cache me", that's an indication that the data is sensitive, and hence the autocomplete data itself is likely sensitive. Admittedly, it is a simple heuristic. Personally, I think it's a bit silly, but it's been there forever. It's probably a good suggestion to support "autocomplete=on" to override the default heuristic.

In order to re-enable the autoComplete feature I had to issue this command in php before the start_session() command:

session_cache_limiter ('private, must-revalidate');

I'm sure there are other ways of manipulating the header cache-controls to allow the autoComplete to function as well.

Here is a link to 3 examples forms I made so you can test with IE.