Click here to Skip to main content
Click here to Skip to main content
Articles » Web Development » ASP.NET » Howto » Downloads
 
Add your own
alternative version
Go to top

How-to safely keep a password field during postbacks and why it shouldn't be done

, 31 May 2007
Think of this article as a beginner's guide to think about design and security when solving problems.
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="BetterDesign.aspx.cs" Inherits="BetterDesign" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>No need to keep it!</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:Label ID="lblUser" runat="server" Text="User"></asp:Label>
        <asp:TextBox ID="txtUser" runat="server"></asp:TextBox>
        <asp:Label ID="lblTypedUser" runat="server"></asp:Label><br />
        <asp:Label ID="lblCurrentPassword" runat="server" Text="Current Password"></asp:Label>
        <asp:TextBox ID="txtCurrentPassword" runat="server" TextMode="Password"></asp:TextBox>
        <asp:Label ID="lblCurrentStoredPasswordInfo" runat="server"></asp:Label><br />
        <asp:Label ID="lblNewPassword" runat="server" Text="New Password"></asp:Label>
        <asp:TextBox ID="txtNewPassword" runat="server" TextMode="Password"></asp:TextBox><br />
        <asp:Label ID="lblNewPasswordConfirmation" runat="server" Text="Confirm New Password"></asp:Label>
        <asp:TextBox ID="txtNewPasswordConfirmation" runat="server" TextMode="Password"></asp:TextBox>
        <br />
        <asp:Button ID="btnPostBack" runat="server" OnClick="btnPostBack_Click" Text="Post the page back!" />
        <br />
        <br />
        <asp:Label ID="lblResponse" runat="server"></asp:Label><br />
        <br />
        <asp:TextBox ID="txtPageInstructions" runat="server" BorderStyle="None" Rows="10" TextMode="MultiLine"
            Width="100%">1. Enter the page and type &quot;user1&quot; as a user.
2. Click &quot;Post the page back!&quot;. Verify that the user is maitained.
3. Enter &quot;*&quot; (an asterisk) as a new password, and as the confirmation. 
4. Click &quot;Post the page back!&quot; and verify that &quot;-842352762&quot; is generated as the password hashcode.
5. Lets change the password. Enter &quot;*&quot; as current password. Enter &quot;1&quot; as new password and confirm it.
6. Click &quot;Post the page back!&quot;. Verify that the generated hashcode changed to &quot;-842352753&quot;.
7. Try anything else and report your findings!</asp:TextBox></div>
    </form>
</body>
</html>

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Roberto Colnaghi
Software Developer
United States United States
I'm a passionate developer and videogame player.
Been in touch with Objective-C, Javascript, C#, C, Guild Wars 2, Tera and many more.
 
Javascript is one of my favorite languages.
Follow on   Twitter   Google+

| Advertise | Privacy | Mobile
Web04 | 2.8.140916.1 | Last Updated 31 May 2007
Article Copyright 2007 by Roberto Colnaghi
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid