Password TextMode for TextBox

[paul reed]

Hello,

I have a text box that is set with a TextMode of Password. The problem is,
when I pull up an operator profile in my app and assign the password in the
db to this field (it is hashed)...it doesn't take. I get into debug and
nothing is there. If I change the TextMode to SingleLine...then it shows up.

I tried changing the textmode dynamically in code after assigning the valud
and still it doesn't take the value. I would have expected it to act like it
does when you enter a password into a textmode password field...it would
show "*****" in the field but the password would still be available at
postback.

Paul

 

[Steven Cheng[MSFT]]

Hi Paul,

From your description, you used an ASP.NET TextBox
control(TextMode=Password) in page and found that the content of the
Control will be cleared after post back. So you 're wondering whether there
is some means to make ti remain the value user entered or set at
serverside, yes?

As for this problem, I think it's a normal behavior of the html element for
security concerns. When the ASP.NET TextBox Control's TextMode is set as
"Password", it is acutally rendered to client as a
"<input type="password" ...>" html element. And the behavior that the this
elemtn's value won't remain after page is submit is because when the <form
..> be submited as "method=post" , all the datas(value in the input fields)
are carried in the httpreuqest's header area which can prevent them be
viewing by most users. And when send back the page, the content in the
input password element will be cleared because the if it remains the
original value or we can set some value in it. It'll be transfered to
clientside in the response's content area rather than header area which is
easy to be stolen by someone else. So this behavior that we can't remain
its origianl value or set new value at serverside and remain to client is
for security issues.

In addition, if you do want to set the value of the <input type="password"

element, one way is using javascript, for example: as for the below

element in page
<input id="pwdHtml" type="password" runat="server" ..>

we can use the
document.getElementById("pwdHtml").value = .....
to assign value to it in clientside. But I don't think this is a good
approach. How do you think of this?

Here is a weblink to the DHtml security consideration in MSDN, hope also
helpful.
#Security Considerations: Dynamic HTML
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/sec
_dhtml.asp



Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Paul Reed]

Steven,

Thanks...I understand the security concerns. I'll find a different
design approach.

Thanks you.

Paul Reed
www.jacksonreed.com