Solved

Pre-fill in password field

Posted on 2007-03-27
3
1,553 Views
Last Modified: 2013-11-07
I have a page that accepts a useraname/password combination for a connection.  This is then stored with some other settings (yes it is encrypted).

If a site admin goes to the management page, they should be able to change various site settings, along with the above mentioned username/pasword if desired.

But if they do not want to change the username/password then I would like them to leave those fields alone.  If the field was a normal textbox field this works fine.  But we wanted to make the field a password field, so an admin casually browsing to the settings page would not see the password - just ********

However, as soon as you make this a password field (textmode="password") then it no longer fills in from the code behind.

This causes a problem, because when the page is then saved - if another setting was changed, it flushes the password.

It also is not a viable option to have the admin type in the password for this connection each time they want to make any of the other changes to the page.

Any ideas on how to be able to default fill in the password from the saved value?
0
Comment
Question by:mrichmon
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
mzalewski earned 250 total points
ID: 18803541
The problem with a pre-filled password field is that the actual value of the field is stored in plain text in the HTML source (Unless something like Javascript is used to fill it in). This means anyone can go to View Source and see what the current password is.
You can see what kind of security problems this would create if people started created websites etc unaware that the password was actually being sent to the browser in plain text.

It's not even possible to set the value programmatically - it still displays blank.

If you still want the password pre-filled, the easiest solution would be to use javascript to autofill the password field when the page loads.
Other solutions:
Use a normal Textbox, and use javascript to change it's 'type' attribute to 'password' on page load.
Find an alternative ASP.NET control on the internet.
Create your own custom control that allows you to do this.

If you are posting back to the same page, and you want the password field to appear 'filled in' then I'd suggest storing the password in a session variable (to keep it on the server), and using javascript to fill the password box with 0's.
When the page is posted back, the server can check to see if the password has been changed (ie: doesnt contain 0's), and either use the new password, or retrieve the old one from session.

This way, the password is not being sent over the internet, the user 'sees' the password box filled in, and the password can still be changed if needed
0
 
LVL 35

Author Comment

by:mrichmon
ID: 18803923
>>This means anyone can go to View Source and see what the current password is.
Yes I realize that, but they can do that as well if I use a regular text box.  In fact, you can get the password of any password field using javascript regardless of how it was set.

>>I'd suggest storing the password in a session variable (to keep it on the server)
Won't work.

>>This way, the password is not being sent over the internet
It is when it is set/changed anyway.  That is what other security measures are for...

>>the easiest solution would be to use javascript to autofill the password field when the page loads.
That actually presents other issues that I don't particularly like.

>>Use a normal Textbox, and use javascript to change it's 'type' attribute to 'password' on page load.
This is the only thing I was able to come up with on my own and had put in place for now while I waited to see if anyone came up with any other ideas.

The only other thing was to have some other indicator saying the password was changing - like making the user check a box that says something like "Update Password", but I didn't like that too much either...

Thanks for the input so far...
0
 
LVL 5

Expert Comment

by:mzalewski
ID: 18804129
Ok, here is a class I just created:
--------------------------------------------------------
namespace CustomWebControls
{
    public class TextBox : System.Web.UI.WebControls.TextBox
    {
        protected override void AddAttributesToRender(HtmlTextWriter writer)
        {
            if (this.TextMode == TextBoxMode.Password)
            {
                Page page = this.Page;
                if (page != null)
                {
                    page.VerifyRenderingInServerForm(this);
                }
                string uniqueID = this.UniqueID;
                if (uniqueID != null)
                {
                    writer.AddAttribute(HtmlTextWriterAttribute.Name, uniqueID);
                }
     

                    writer.AddAttribute(HtmlTextWriterAttribute.Type, "password");
                    // Added this here:
                    string text = this.Text;
                    if (text.Length > 0)
                    {
                        writer.AddAttribute(HtmlTextWriterAttribute.Value, text);
                    }
                    int maxLength = this.MaxLength;
                    if (maxLength > 0)
                    {
                        writer.AddAttribute(HtmlTextWriterAttribute.Maxlength, maxLength.ToString(NumberFormatInfo.InvariantInfo));
                    }
                    maxLength = this.Columns;
                    if (maxLength > 0)
                    {
                        writer.AddAttribute(HtmlTextWriterAttribute.Size, maxLength.ToString(NumberFormatInfo.InvariantInfo));
                    }
           
            } else {
                // If Textmode != Password
                base.AddAttributesToRender(writer);
            }

        }
         
    }
}
--------------------------------------------------------
2 - Compile it, place the dll in your websites bin folder

3 - Register it in your ASPX
<%@ Register Namespace="CustomWebControls" Assembly="CustomWebControls"  TagPrefix="CWC" %>

4 - Add the control to the page
<CWC:TextBox runat="server" TextMode="Password" Text="Hello123" />

Hopefully, this example will help anyone else who is looking to pre-fill a password box. It inherits the TextBox, so it should behave the same way. The only thing that won't work is the AutoPostback OnChange event (I hope thats the only thing). This can be easily added though.

I used Reflector to disassemble the .NET 2.0 TextBox, so it should be pretty close. For other TextModes, it just uses the base method.

It would have been easier to modify the "type" attribute after base.OnRenderAttributes is executed, but I don't know any easy way to do this.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
Today I had a very interesting conundrum that had to get solved quickly. Needless to say, it wasn't resolved quickly because when we needed it we were very rushed, but as soon as the conference call was over and I took a step back I saw the correct …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now