I’m looking for a server-side implementation to disable a browser from saving invalid login credentials.
For example, user “foo” logs in with password “bar”. Browser asks foo if he wants to save the password. However, foo’s password is actually “baz” and therefor would be saving the incorrect password.
I’ve tried manipulating the HTTP codes, such as sending HTTP/1.1 401, but without success.
This is NOT solved by adding “autocomplete” to the form, as this prevents any saving (even valid).
Server backend is PHP.
You can’t have it dismiss that box if the authentication fails. However, you could have it prevent subsequent fillings of that field on the “Password Failed” page after the initial attempt. Once the page has loaded, manipulate the DOM to remove the text value from the password field if the last login attempt was invalid. It would still display the password on subsequent “fresh” visits to the site, but hopefully the correct password will have been saved by then.