473,569 Members | 2,831 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Web Control vs. html "run as server" for setting password from coo

I'm trying to create a login page for customers to log into our corporate
website, our presidents naturally wants the user and password fields to
populate from a cookie so the customer doesn't have to type their credentials
every time, this seems like a pretty common thing. However, when I try to
populate the password HTML textbox from the cookie, the textbox remains
blank. However, if I try this from an equivalent web control, the textbox
shows the hidden password ••••• ••••.

My research in Google tells me that there is absolutely no way to populate
an html textbox with text when the type="password. " Articles I've read say
that this is because a user can look at the page source markup and see the
actual password, which Microsoft sees as a security issue.

However, I am able to get this to work when I use a .NET web control, even
though the password is shown in source markup. It doesn't make sense that
they would restrict functionality in an html control yet not do so in a web
control.

I'd really prefer having my textboxes be part of an html form to avoid
repeat round trips to the server, is there absolutely no workaround for the
issue?

Thanks,

Andre Ranieri
Nov 19 '05 #1
6 2285
you can set the password from the server side by using the control
attributes. just add the "value" attribute with the password value.

-- bruce (sqlwork.com)
"Andre Ranieri" <An**********@d iscussions.micr osoft.com> wrote in message
news:DB******** *************** ***********@mic rosoft.com...
| I'm trying to create a login page for customers to log into our corporate
| website, our presidents naturally wants the user and password fields to
| populate from a cookie so the customer doesn't have to type their
credentials
| every time, this seems like a pretty common thing. However, when I try to
| populate the password HTML textbox from the cookie, the textbox remains
| blank. However, if I try this from an equivalent web control, the textbox
| shows the hidden password ..........
|
| My research in Google tells me that there is absolutely no way to populate
| an html textbox with text when the type="password. " Articles I've read
say
| that this is because a user can look at the page source markup and see the
| actual password, which Microsoft sees as a security issue.
|
| However, I am able to get this to work when I use a .NET web control, even
| though the password is shown in source markup. It doesn't make sense that
| they would restrict functionality in an html control yet not do so in a
web
| control.
|
| I'd really prefer having my textboxes be part of an html form to avoid
| repeat round trips to the server, is there absolutely no workaround for
the
| issue?
|
| Thanks,
|
| Andre Ranieri
Nov 19 '05 #2
I'm afraid you've still got some holes in your understanding of how ASP.Net
works. In addition, you have a security issue that you're not aware of.
Let's start with the first part first.

An ASP.Net WebForm renders an HTML form on the client. There is absolutely
no requirement that a Server Control cause a PostBack. So, ther is
absolutely no requirement that you do this with a static HTML page, although
you certainly could.

Using an HTML document, you COULD populate the password box from a cookie.
JavaScript can read cookies. Google is useful, but you have to ask the right
questions. However, how is the JavaScript is a static HTML document going to
know what password to use? I suppose you could use behaviors, and have the
JavaScript call a Web Service to obtain the password, but again, how does
the JavaScript know what password to ask for? And this is already beginnning
to look like a shortcut that is more complicated than the alternative.

On the other hand, you could use an ASP.Net WebForm instead. Using the
WebForm, you could also populate the password box from a Cookie. However,
the problem there is, the password would appear in clear text in the HTML of
the document. This would be an unacceptable security issue.

This is the reason that password boxes are not populated in almost all forms
that take passwords. There was a time when people used their own computers
all the time. Now, one of your users could drop into a cyber cafe on his
lunch break, log in to your web site, and leave his password behind for
everyone that followed.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Andre Ranieri" <An**********@d iscussions.micr osoft.com> wrote in message
news:DB******** *************** ***********@mic rosoft.com...
I'm trying to create a login page for customers to log into our corporate
website, our presidents naturally wants the user and password fields to
populate from a cookie so the customer doesn't have to type their
credentials
every time, this seems like a pretty common thing. However, when I try to
populate the password HTML textbox from the cookie, the textbox remains
blank. However, if I try this from an equivalent web control, the textbox
shows the hidden password ..........

My research in Google tells me that there is absolutely no way to populate
an html textbox with text when the type="password. " Articles I've read
say
that this is because a user can look at the page source markup and see the
actual password, which Microsoft sees as a security issue.

However, I am able to get this to work when I use a .NET web control, even
though the password is shown in source markup. It doesn't make sense that
they would restrict functionality in an html control yet not do so in a
web
control.

I'd really prefer having my textboxes be part of an html form to avoid
repeat round trips to the server, is there absolutely no workaround for
the
issue?

Thanks,

Andre Ranieri

Nov 19 '05 #3
Sending the password in plain text to the browser is a bad idea from a
security standpoint so the default security settings discourage it.
(Anybody can do a view source for the page and see the password)
However there is a workaround. You must set the password text via
clientside script.

This server side code outputs the needed client side code:

MyPWTextBox.Att ributes.Add("va lue", strPassword)

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://SteveOrr.net

"Andre Ranieri" <An**********@d iscussions.micr osoft.com> wrote in message
news:DB******** *************** ***********@mic rosoft.com...
I'm trying to create a login page for customers to log into our corporate
website, our presidents naturally wants the user and password fields to
populate from a cookie so the customer doesn't have to type their
credentials
every time, this seems like a pretty common thing. However, when I try to
populate the password HTML textbox from the cookie, the textbox remains
blank. However, if I try this from an equivalent web control, the textbox
shows the hidden password ..........

My research in Google tells me that there is absolutely no way to populate
an html textbox with text when the type="password. " Articles I've read
say
that this is because a user can look at the page source markup and see the
actual password, which Microsoft sees as a security issue.

However, I am able to get this to work when I use a .NET web control, even
though the password is shown in source markup. It doesn't make sense that
they would restrict functionality in an html control yet not do so in a
web
control.

I'd really prefer having my textboxes be part of an html form to avoid
repeat round trips to the server, is there absolutely no workaround for
the
issue?

Thanks,

Andre Ranieri

Nov 19 '05 #4
> However there is a workaround. You must set the password text via
clientside script.

This server side code outputs the needed client side code:

MyPWTextBox.Att ributes.Add("va lue", strPassword)
If I'm not mistaken, Steve, that would still make the password visible in
the HTML:

<input type="password" name="T1" size="20" value="password ">

Your statement that it needs to be set via client-side code would be
correct, IF there was a way that JavaScript could get the password without
putting it in the HTML, such as making a Web Method call. It could then
programmaticall y set the value of the password box (at run-time) without it
appearing in the HTML. But, as I mentioned earlier, there would still be a
problem of determining WHICH password it would fetch.

I really think the only workable solution is to leave the password OUT of
the cookie.

As a matter of fact, now that I think of it, anyone could get the password
out of the cookie without even opening a browser! Cookies are, after all,
just text files.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
Neither a follower nor a lender be.

"Steve C. Orr [MVP, MCSD]" <St***@Orr.ne t> wrote in message
news:Oo******** ******@TK2MSFTN GP12.phx.gbl... Sending the password in plain text to the browser is a bad idea from a
security standpoint so the default security settings discourage it.
(Anybody can do a view source for the page and see the password)
However there is a workaround. You must set the password text via
clientside script.

This server side code outputs the needed client side code:

MyPWTextBox.Att ributes.Add("va lue", strPassword)

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://SteveOrr.net

"Andre Ranieri" <An**********@d iscussions.micr osoft.com> wrote in message
news:DB******** *************** ***********@mic rosoft.com...
I'm trying to create a login page for customers to log into our corporate
website, our presidents naturally wants the user and password fields to
populate from a cookie so the customer doesn't have to type their
credentials
every time, this seems like a pretty common thing. However, when I try
to
populate the password HTML textbox from the cookie, the textbox remains
blank. However, if I try this from an equivalent web control, the
textbox
shows the hidden password ..........

My research in Google tells me that there is absolutely no way to
populate
an html textbox with text when the type="password. " Articles I've read
say
that this is because a user can look at the page source markup and see
the
actual password, which Microsoft sees as a security issue.

However, I am able to get this to work when I use a .NET web control,
even
though the password is shown in source markup. It doesn't make sense
that
they would restrict functionality in an html control yet not do so in a
web
control.

I'd really prefer having my textboxes be part of an html form to avoid
repeat round trips to the server, is there absolutely no workaround for
the
issue?

Thanks,

Andre Ranieri


Nov 19 '05 #5
Yes, it would still be visible in the HTML. Like I said, this is not a good
thing to do from a security perspective.
I was just stating that it is possible to programatically set the password
text in a password field.
You can get the password from a cookie (user server side code) or from
wherever, there is nothing very mysterious about that aspect of it.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://SteveOrr.net
"Kevin Spencer" <ke***@DIESPAMM ERSDIEtakempis. com> wrote in message
news:Ox******** ******@TK2MSFTN GP10.phx.gbl...
However there is a workaround. You must set the password text via
clientside script.

This server side code outputs the needed client side code:

MyPWTextBox.Att ributes.Add("va lue", strPassword)


If I'm not mistaken, Steve, that would still make the password visible in
the HTML:

<input type="password" name="T1" size="20" value="password ">

Your statement that it needs to be set via client-side code would be
correct, IF there was a way that JavaScript could get the password without
putting it in the HTML, such as making a Web Method call. It could then
programmaticall y set the value of the password box (at run-time) without
it appearing in the HTML. But, as I mentioned earlier, there would still
be a problem of determining WHICH password it would fetch.

I really think the only workable solution is to leave the password OUT of
the cookie.

As a matter of fact, now that I think of it, anyone could get the password
out of the cookie without even opening a browser! Cookies are, after all,
just text files.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
Neither a follower nor a lender be.

"Steve C. Orr [MVP, MCSD]" <St***@Orr.ne t> wrote in message
news:Oo******** ******@TK2MSFTN GP12.phx.gbl...
Sending the password in plain text to the browser is a bad idea from a
security standpoint so the default security settings discourage it.
(Anybody can do a view source for the page and see the password)
However there is a workaround. You must set the password text via
clientside script.

This server side code outputs the needed client side code:

MyPWTextBox.Att ributes.Add("va lue", strPassword)

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://SteveOrr.net

"Andre Ranieri" <An**********@d iscussions.micr osoft.com> wrote in message
news:DB******** *************** ***********@mic rosoft.com...
I'm trying to create a login page for customers to log into our
corporate
website, our presidents naturally wants the user and password fields to
populate from a cookie so the customer doesn't have to type their
credentials
every time, this seems like a pretty common thing. However, when I try
to
populate the password HTML textbox from the cookie, the textbox remains
blank. However, if I try this from an equivalent web control, the
textbox
shows the hidden password ..........

My research in Google tells me that there is absolutely no way to
populate
an html textbox with text when the type="password. " Articles I've read
say
that this is because a user can look at the page source markup and see
the
actual password, which Microsoft sees as a security issue.

However, I am able to get this to work when I use a .NET web control,
even
though the password is shown in source markup. It doesn't make sense
that
they would restrict functionality in an html control yet not do so in a
web
control.

I'd really prefer having my textboxes be part of an html form to avoid
repeat round trips to the server, is there absolutely no workaround for
the
issue?

Thanks,

Andre Ranieri



Nov 19 '05 #6
Gentlemen,

Thanks for the great feedback. What I'm undestanding is that, if I'm going
to use cookies to remember passwords, I bypass the login/authentication page
and go right to the secure site if the user ID and password are known,
similar to MSN Messenger. This way I avoid exposing the password in html
source.

Thanks again for your time and dedication to the .net community.

Andre Ranieri

andre*at*senske *dot*com
Nov 19 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
8377
by: Hazzard | last post by:
I just realized that the code I inherited is using all asp.net server controls (ie. webform controls) and when I try to update textboxes on the client side, I lose the new value of the textbox when submitting the form to update the database. The server doesn't have the client side value any more. It seems to me that as I begin to write the...
1
1577
by: Matt | last post by:
If the web control has runat="server" attribute, can we say that control is built on the server (on the fly), and not static control?? Please advise.
1
2850
by: Robert Halford | last post by:
On 4th May at 7.45 in the evening my asp.net web sites stopped working on my development server. The page that appears says: Server Application Unavailable The web application you are attempting to access on this web server is currently unavailable. Please hit the "Refresh" button in your web browser to retry your request.
3
5513
by: Jaime Stuardo | last post by:
Hi all... Both controls are server side. The former has more properties. Both may have associated events that are ran at server. Which one are recommended to use? is performance an issue? in what case I can (or must) use the second? If I want an input control that has specific font or color, I can use client side <input> so I'm...
3
3484
by: Jim in Arizona | last post by:
Most of the asp.net learning I've done has been from books that were written during the 1.0 framework. I didn't have a copy of visual studio when I started reading them then I got a hold of VS 2005 Beta 1, then Beta 2. I was using the <div runat="server"> statement on my projects. Once I placed a <div id="testdiv" runat="server"> within my...
8
3001
by: David Thielen | last post by:
Hi; In our setup program how do I determine if I need to run "aspnet_regiis –i" and if so, is there an API I can calll rather than finding that program on the user's disk and calling it? -- thanks - dave david_at_windward_dot_net http://www.windwardreports.com
11
2539
by: gunjan.mait | last post by:
hi, i wanted to know the exact use of runat="server" which is being used is ASP.NET why we every time need to use it, even when i want to do the work at client side? How to do simple processings like displaying some message at client side only without hitting server? what is the use of onclick, as we have to use onserverclick always? why...
2
2311
by: Bob | last post by:
Hi, in aspx file, i defined this: <input id="Button2" type="button" value="button" runat="server" onclick="klik()"/> This 'onclick' event is a clientclick (starting the Javascript function "klik()" ). I want to do a 'server onclick', just like the <asp:Buttoncontrol, but it
4
13291
by: Chris | last post by:
Hi, i 'm experimenting with postback and i tried that with a button server control and an Html input button but with runat="server". The button server control causes a postback, but not the Html input button with runat="server". Can someone explain me why (because it's running on the server)? Thanks
0
7703
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main...
0
7619
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
7931
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8139
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
0
6290
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing, and deploymentwithout human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
1
5515
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupr who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5228
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
1
2119
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
1230
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.