The viewstate is hashed with base64 by default. You can make it more secure by using a DES encryption. I think it's a MAC viewstate setting. The viewstate is used as a placeholder for session and form variables between posting.
I guess the password has to be in the source, otherwise the web server won't know it.
A confirmation message would be helpful for users.
Salama
From: "Del Hines" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: <[EMAIL PROTECTED]> Subject: [Modus] blank password field in Webadmin Date: Mon, 17 Nov 2003 13:04:27 -0600
From my tests, I don't believe asp.net will store the password text in the viewstate even encrypted. I think even on a standard textbox control, I think the text is just stored in the 'value' parameter of the input tag and is not stored in the viewstate. I may be wrong though.
Looking back at Salama's original question of "what is the logic behind this", a password field should never be pre-populated in a change password form. The whole point of having the 'old password' field to begin with is to authenticate the person that is resetting the password. He/We will just have to explain this to the end user.
- Del
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Suneel Jhangiani Sent: Monday, November 17, 2003 12:00 PM To: [EMAIL PROTECTED] Subject: [Modus] blank password field in Webadmin
In ASP.Net the password would be stored as part off the Viewstate if it is run as a control. The viewstate would be encrypted but uses a fairly weak algorithm.
Regards,
Suneel Jhangiani
Inter-Computer Technology Ltd.
Modus3 Bug Buster Co-MVP
If you declare love, what identifier scope does it have?
-----Original Message----- From: Del Hines [mailto:[EMAIL PROTECTED] Sent: 17 November 2003 17:38 To: [EMAIL PROTECTED] Subject: [Modus] blank password field in Webadmin
* This is the modus mailing list *
1) In a standard html or asp page, if the password field is preloaded
with the password either programmatically or in the html source,
asterisks will be shown and the password _WILL_ be displayed in
plain-text in the html source.
2) In ASP.Net, a password field (run as a control) will be blank even if
there is an attempt to preload it with the password either
programmatically or in the html source.
Perhaps the "your settings have been changed successfully" should be
more prominently displayed (at least on the password page)
- Del
_________________________________________________________________
Crave some Miles Davis or Grateful Dead? Your old favorites are always playing on MSN Radio Plus. Trial month free! http://join.msn.com/?page=offers/premiumradio
** To unsubscribe, send an Email to: [EMAIL PROTECTED] with the word "UNSUBSCRIBE" in the body or subject line.
