Click here to Skip to main content
Click here to Skip to main content
Articles » Web Development » ASP.NET » Howto » Downloads
 
Add your own
alternative version

How-to safely keep a password field during postbacks and why it shouldn't be done

, 31 May 2007
Think of this article as a beginner's guide to think about design and security when solving problems.
using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

public partial class BetterDesign : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        lblResponse.Text = "";
        lblCurrentPassword.Enabled = false;
        txtCurrentPassword.Enabled = false;
        lblCurrentStoredPasswordInfo.Enabled = false;
    }

    protected int? StoredPasswordHashCode
    {
        get
        {
            if (ViewState["TypedPassword"] != null)
            {
                return Convert.ToInt32(ViewState["TypedPassword"]);
            }
            return null;
        }
        set
        {
            ViewState["TypedPassword"] = value;
            lblCurrentStoredPasswordInfo.Text = "Hashcode of current stored password is \"" + value + "\"";
        }
    }

    protected void btnPostBack_Click(object sender, EventArgs e)
    {
        string user = txtUser.Text;
        string newPassword = null;

        //is there any data to work with?
        //for sake of illustration and simplicity, I'm not using validators, so type all data before posting back
        if ((StoredPasswordHashCode == null || txtCurrentPassword.Text.Trim().Length > 0) && txtNewPassword.Text.Trim().Length > 0 && txtNewPasswordConfirmation.Text.Trim().Length > 0)
        {
            //compare the type password hash code with the hashcode in the database
            //for sake of illustration and simplicity, I'm not using a database and only comparing with a viewstate value
            if (StoredPasswordHashCode == null || txtCurrentPassword.Text.GetHashCode() == StoredPasswordHashCode) 
            {
                //does the confirmation match the new password?
                if (txtNewPassword.Text == txtNewPasswordConfirmation.Text)
                {
                    newPassword = txtNewPassword.Text;
                }
                else 
                {
                    lblResponse.Text = "New password does not match with confirmation, please retype.";
                }
            }
            else
            {
                lblResponse.Text = "The informed password is invalid, please retype.";
            }
        }

        //save to database or do whatever work needed with user/newPassword
        //remember that newPassword can be null if not specified, so test for it!
        lblTypedUser.Text = user;
        if (newPassword != null)
        {
            StoredPasswordHashCode = newPassword.GetHashCode();
        }

        //enable current password fields if there is a password set
        if (StoredPasswordHashCode != null)
        {
            lblCurrentPassword.Enabled = true;
            txtCurrentPassword.Enabled = true;
            lblCurrentStoredPasswordInfo.Enabled = true;
        }

    }
}

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Roberto Colnaghi
Software Developer
United States United States
I'm a passionate developer and videogame player.
Been in touch with Objective-C, Javascript, C#, C, Guild Wars 2, Tera and many more.
 
Javascript is one of my favorite languages.
Follow on   Twitter   Google+

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.1411023.1 | Last Updated 31 May 2007
Article Copyright 2007 by Roberto Colnaghi
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid