RSS 2.0 Feed
RSS 2.0


Atom 1.0 Feed
Atom 1.0

Saturday, December 18, 2004 8:46 AM Filed under:
 General
 Web/ASP.NET

  Setting the Value of a TextBox with TextMode=Password 

When the TextMode property of an ASP.NET TextBox is set to Password the value set in the Text property will not display at runtime. This can be a pain, however it is actually by design to prevent the unmasked password from being displayed in the HTML source of the page.

While the security reasons are good to not display the masked password value, leaving it unmasked in the source, it is also necessary at times to display the masked value in the TextBox. For example, a user profile page where the user has the ability to change their password. It makes sense to display it there. After all, the user has already authenticated to get to the page (although the value is sent with the data to the browser and could easily be sniffed).

Security reasons aside, you can work around this by adding the password value to the control as as Attribute. Since the TextBox renders as an HTML input control, you can set the value attribute easily, just as you would set the Text property.

PasswordText.Attributes.Add("value", "ThePassword");

Use this to set the value, instead of setting the Text property. You can still read the value from the control via the Text property.




                   



Leave a comment below.

Comments

  1. David M. Kean 12/18/2004 11:39 AM
    Gravatar
    As the page is saved to disk, anyone can open it and view the password as clear text.

    The better way to do this is to have a seperate reset password page, where you have to enter the old and the new passowrd. That way you never have to display the password on the page at all.
  2. Ryan Farley 12/18/2004 12:08 PM
    Gravatar
    David,

    You are abolutely right. I tend to stay away from sending password back to the browser as a rule as well. I should have made that more clear in my post. However, I don't like to rule out a way of doing something just because it doesn't work that way normally, so I figured it was worth pointing out how to go about it if needed (the "when" and "why" is left up to the developer/specs). Again, thanks for the comment, with a post pointing out a work-around for something in place for security reasons I should have done the responsible thing and point out why you shouldn't work around it more strongly.

    -Ryan
  3. Milan Negovan 12/18/2004 4:36 PM
    Gravatar
    The first time I ran into this issue it baffled me. Eventually, I figured to apply the trick you share here.

    I still can't understand the rationale behind this "security feature", because this is about messing with the conventional browser behavior. When you type in a password and submit the form, the password is posted in plain and clear. If anyone is sniffing the session they already have it! Why make it more difficult by pretending it didn't happen? Dunno, really.
  4. TOURNEY LOGIC LINK BLOG 12/18/2004 9:01 PM
    Gravatar
  5. Jiho Han 12/20/2004 6:15 AM
    Gravatar
    well, I think the reason for the masked textbox in the browser is that these browsers were used in public settings like in a university computing center (which is where I first experienced "World Wide Web" via Mosaic), or at a public terminal at a convetion center. Your password being sent in clear text to the network and your password being visible to the guy sitting next to you or the woman peeking over your shoulder are two different things.
  6. pravin 4/19/2005 10:42 PM
    Gravatar
    still i am getting error its not working tell me where i am wrong

    <asp:TextBox ID="Pass" TextMode="Password" Runat="server" Text="Hello">
    <asp:textbox id="txtPassword" runat="server" Width="241px" TextMode="Password" MaxLength="255"></asp:textbox>


    Pass.Attributes.Add ("Value", Pass.Text);
    txtPassword.Attributes.Add (dgUserList.Items[dgUserList.SelectedIndex].Cells[3].Text, txtPassword.Text);


    Do you know why there is no value in my password box?
    my code is above one...
    i want to set password into text box when user select user details from Grid to Update




    PasswordText.Attributes.Add("value", "ThePassword");
    as per u what comese in my case
    str key and str value
  7. Jonno 6/13/2005 12:35 AM
    Gravatar
    Well if you dont want users to see it, set it with an encrypted password and store a version of it in a hidden field.

    When you persist it back reconvert hidden field and password textbox to unencrypted version and compare them.

    If they are equal save the encrypted version - reconvert it.

    If they are not save the new version in the password textbox.
  8. David Silverlight 8/11/2005 1:05 PM
    Gravatar
    I had been fighting with this for some time and blogged about it recently myself. It seems that setting the attribute in the prerender event of the textbox does the trick nicely.

    Protected Sub txtPassword_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles txtPassword.PreRender

    txtPassword.Attributes("value") = txtPassword.Text

    End Sub

  9. kornolio 10/10/2006 8:38 PM
    Gravatar
    thanks a lot David!

    i was having a problem displaying the text in my password textbox inside my detailsview control. it uses an objectdatasource control to populate itself. using your solution i finally resolved it.

  10. stephen natawardaja 4/11/2007 5:02 PM
    Gravatar
    Thanks, I found this helpful =)
  11. M.P.Santhakumar 4/15/2007 10:44 PM
    Gravatar
    how to change the password character in asp.net 2.0?
  12. host 6/13/2007 11:31 AM
    Gravatar
    Well if you dont want users to see it, set it with an encrypted password and store a version of it in a hidden field.

    When you persist it back reconvert hidden field and password textbox to unencrypted version and compare them.

    If they are equal save the encrypted version - reconvert it.

    If they are not save the new version in the password textbox.
  13. Jagdish 7/2/2007 10:50 PM
    Gravatar
    I've created multiple Textbox during the runtime now i need to set textmode to multiline for each created textbox kindly help me.
  14. Durga 9/14/2007 6:43 AM
    Gravatar
    This topic solved my issue of asigning of some spaces in the password filed. Thanks a lot.
  15. LJ 11/26/2007 9:13 PM
    Gravatar
    My problem is that I have an assignment where I need to use a cookie to populate the username and password fields of a login page. However, when I have the textbox for the password set to TextMode=password, it will not populate with the value in the cookie, although it will if the TextMode=singleline. What I need to know is how to convert the TextMode from password to singleline so the cookie value can populate, then convert back to TextMode=password.
  16. Sree 2/28/2008 10:10 PM
    Gravatar
    The code was of great help to me.
    Thanks :)
  17. Neal 7/15/2008 6:37 AM
    Gravatar
    FYI: Adding the attribute value will allow anyone reading the source of your page will be able to see your password in the controls attribute section.
  18. Sunny Setia 9/12/2008 12:13 AM
    Gravatar
    By using this password is coming in the text box but when we open the page source, the password value is coming which is not Right anyone can see the password.
  19. Ryan Farley 9/12/2008 10:07 AM
    Gravatar
    @Neal & @Sunny Setia, That is correct and has always been the case and something to always be aware of when passing a password back and forth (I usually opt to not send the password back to the browser if possible - just allow the user to send a new one to the server)

    -Ryan
  20. Shaun 9/24/2008 7:06 AM
    Gravatar
    Brilliant, thanks this solved my problem straight away!
  21. ThomasR 10/7/2008 2:16 AM
    Gravatar
    Thank you so much, you saved my time and it did the trick !

Leave a comment

Please be polite and on topic. Your e-mail will never be published.

Please add 6 and 2 and type the answer here:



 

News


Also see my CRM Developer blog

Connect:            

Sponsor

Recent Posts

Sections