1

Is there any secure way of setting value to textbox in password mode?

I have a custom login form with a password textbox:
<asp:TextBox ID="tbPassword" runat="server" TextMode="Password"></asp:TextBox>
and on page load, I'd like to put there some remembered password I've decrypted in code-behind from a cookie.

95% of answers I've found is to set the textbox value, like:
tbPassword.Attributes["value"] = "ThePassword";

However, it's not the most secure way, as it generates following HTML code, visible when view source, where password is stored in a plain text:

<input id="tbPassword" type="password" value="ThePassword" name="ctl00$cpMainContentParent$tbPassword">

I've tried different way with jQuery, setting value with:

$("#tbLogin").val("ThePassword");

It is much better, as the value is not visible in View Source, yet the password is visible in jQuery script on a page...

I've also tried to register client script and run it, but as I cannot "unregister" it, so result is the same as with the plain jQuery sript...

Do you know any workaround to set that value and not show it in source code?

4

2 に答える 2

2

Do not set the password in a INPUT element. Instead, set it to a random or fixed value (if you want to indicate a password is set) or empty otherwise. As you say, it means the password is visible in the page source. To handle changing the password, set a flag if the password value so the handling code, either server or client side, knows when the password is modified.

于 2012-09-27T14:22:57.753 に答える
2

As Bob's comment says, the whole concept is flawed. If the cookie is valid, then just skip the password prompt. If it's not valid, then you have nothing to auto-fill with.

That being said, there is nothing you can do to directly fill the textbox which can't be intercepted in some way. Even if you filled it via a post-load AJAX call, the user could still see the content via something like FireBug. That's inherent in the nature of web browsers - there's nothing that's secure from the browser itself, because the browser needs to understand it to render it.

If you really want to do this, one option is to compute a custom hash of the password which incorporates the timestamp (or some other one-time value), and set the textbox to that. You'd need to accept both the standard password and the hash as valid, but the hash won't be reusable so it won't matter if the user sees it.

于 2012-09-27T14:25:43.587 に答える