Security scan of our server says
Autocomplete HTML Attribute Not Disabled for Password Field.
Fix: Correctly set the "autocomplete" attribute to "off"
Reasoning: AppScan has found that a password field does not enforce
the disabling of the autocomplete feature
After seeing this report I have set autocomplete=off and AutoCompleteType="Disabled" for username and password textboxes. But it makes no change. Browser asks for Remember password and if click yes, autocomplete feature is enabled there. How can I resolve this? Or is there any mechanism to force stop the browser for asking remember password?
<asp:TextBox ID="tb_loginid" autocomplete="off" AutoCompleteType="Disabled" runat="server" ForeColor="#5D7B9D"></asp:TextBox>
<input type="password" style="display:none;"/>
<asp:TextBox ID="tb_password" autocomplete="off" AutoCompleteType="Disabled" runat="server" ForeColor="#5D7B9D" TextMode="Password" >*</asp:TextBox>
You may try with the below attribute on the form tag(if this is inside a form-which it should be in all fairness)
<form method="post" action="YourAction" id="loginForm" autocomplete="off">
Related
I'm new to programming in asp.net, I'm still learning and right now I'm building a login form.
This is my aspx (HTML file):
<div class="login">
<input type="text" placeholder="User" name="user" id="user" runat="server"><br>
<input type="password" placeholder="Password" name="password" id="password" runat="server"><br>
<button type="submit" class="btn-sucess" id="btn" runat="server" onserverclick="btn_Click">Login</button>
</div>
I need to create a button click event in aspx.cs to store the data in SQL Server, in my registration form I did this:
cmd.Parameters.AddWithValue("user", user.Text);
cmd.Parameters.AddWithValue("password", password.Text);
The difference was that the TAG in the .aspx file for registration was like this:
<td class="auto-style8">
<asp:TextBox ID="nome" runat="server" Width="159px"></asp:TextBox>
</td>
How can I do the same that I did in the registration form without using these asp tags?
You are trying to get rid of ASP.NET tag controls which effectively are syntactic sugar around HTML equivalents. You could re-write you ASP Textbox tag as below:
<input type="text" ID="nome" runat="server" style="width:159px"></input>
The runat="server" attribute gives you the flexibility to access this control at code behind (aspx.cs) and if you do not intend to do that, it can be removed as well.
from code behind access the value of text control like this -
string userName = user.Value;
you can directly access value of controls by using name of that control
In your case
<td class="auto-style8">
<asp:TextBox ID="nome" runat="server" Width="159px"></asp:TextBox>
</td>
you can access this value in .cs file like
cmd.Parameters.AddWithValue("user", nome.Text);
I am facing a very peculiar issue.
I have set textmode of an asp.net textbox to Password but it causes a problem i.e. it picks other passwords from cookies even it has nothing to do with my page.
And setting it to password also affects my another textbox with is set to SingleLine mode but when I remove Password textmode then it works correctly.
<asp:TextBox ID="txtPassword1" TextMode="Password" runat="server" CssClass="form-control"></asp:TextBox>
<asp:TextBox ID="txtUserLogin1" TextMode="SingleLine" runat="server" CssClass="form-control"></asp:TextBox>
Regarding this
it picks other passwords from cookies even it has nothing to do with my page.
I think it a browser functionality which automatically populates saved password for you. So when you have type as "password", it shows you some password. Try to clear saved password and then you will see blank textbox.
I am not sure about the second issue.
I added dummy text box
<asp:TextBox ID="dummy" runat="server" style="display:none"></asp:TextBox>
under the textbox which was showing prefilled data from cache. It solved my problem.
Try to use type="Password" instead of TextMode="Password"
I have an existing Login.aspx page that works when a user manually populates their login credentials and submits them.
I would like to create another version of this form for 'TRIAL' purposes that automatically populates the username and password textbox fields with values. I would like to make these textbox controls hidden. So essentially user just hits login button, it uses the automatically populated values, and logs the user in.
How can I convert existing code to do this?
Here is the code with the two textbox controls for username and password:
<asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName"
Text="Username">
</asp:Label>
<asp:TextBox ID="UserName" runat="server"></asp:TextBox>
<asp:CustomValidator ID="UserNameRequired" ValidateEmptyText="True"
OnServerValidate="ValidateUserName" ClientValidationFunction=""
runat="server" ControlToValidate="UserName"
ErrorMessage="<%$ resources: UserNameRequired %>"
ToolTip="<%$ resources: UserNameRequired %>" ValidationGroup="sLogin"
Text="<%$ resources: asterisk %>">
</asp:CustomValidator>
<asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password"
Text="<%$ resources: Password %>" Style="margin-top: 5px;"></asp:Label>
<asp:TextBox ID="Password" runat="server" CssClass="editCtl"
TextMode="Password" AutoComplete="off"></asp:TextBox>
I realize I can simply add the values directly into the page like this:
<asp:TextBox ID="UserName" runat="server" Text="user1" style="display:none;"></asp:TextBox>
<asp:TextBox ID="Password" runat="server" CssClass="editCtl" AutoComplete="off" Text="password1" style="display:none;"></asp:TextBox>
However, I guess the REAL question would then be how do I call these values in a more secure way?
From your OP I am making the following assumptions: You have two login pages, one for the normal users and one for the trial users. Both of these .ASPX pages are sharing the same code behind page in order to share the logic. This results in the trial login page needing to supply the username and password without the user entering it, and you don’t want those easily visible to the user.
You can use a second submit button for the trial login. On the normal page the trial submit button would be hidden and on the trial page the username, password and normal submit is hidden.
Refactor the code behind page so the login logic is in a separate method. For the normal login page get the username and password from the UI controls and call the method. In the trial button click use hard coded values, or better yet configured values, and call the method.
What about store the data, encoded into a cookie, and fill the input value if this cookie exist?
C#
Response.Cookies["userName"].Value = "patrick";
Response.Cookies["userName"].Expires = DateTime.Now.AddDays(1);
VB
Response.Cookies("userName").Value = "patrick"
Response.Cookies("userName").Expires = DateTime.Now.AddDays(1)
I have an asp.net Web Application, i have login screen in Application.
In userName and password field i have used required field validator as follows :
<td style="width: 160px">
<asp:TextBox ID="txtUserNm" runat="server" CssClass="txtSingleline txtBack-Color txtRequireBorder-Color required" Height="18px" Width="150px" TabIndex="1" MaxLength="50" onblur="ValidatorOnChange(event);showhide();"></asp:TextBox>
</td>
<td style="width: 140px">
<asp:RequiredFieldValidator ID="RequiredFieldValidator1" runat="server" Display="Dynamic"
Width="150px" SetFocusOnError="true" ErrorMessage="Please enter Username" ControlToValidate="txtUserNm" ValidationGroup="a"></asp:RequiredFieldValidator>
when i focus on UserName textbox and Press Tab , i am unable to loos the focus from the TextBox because of RequiredField Validator. it happens only in Chrome and IE9 . but working well in firefox.
what can be solution to loose the focus from the Textbox when using Requiredfield validator ???
Thanks
Simple... just remove the SetFocusOnError="true" or set it to false.
The only downside is you can only validate the form on form post back, not on the fly.
But, it's not even such a pain in the neck, since even if you remove this property, validation works fine in both normal web forms, and ajax update panels.
I assume that you should manually assign tabindex property to your controls in order to define loop by pressing tab.
I'm trying to create a ASP .NET website that masks the password in a registration page as the user types. I found sites that use windows form but it doesn't work for a ASP .NET website.
So if the user types in a password its masked like this
*******
Any website or suggestion on how I can get it to work would be great.
To do it the ASP.NET way:
<asp:TextBox ID="txtBox1" TextMode="Password" runat="server" />
//in aspx page
<asp:TextBox ID="password" runat="server" TextMode="Password" />
//in MVC cshtml
#Html.Password("password", "", new { id = "password", Textmode = "Password" })
Use the password input type.
<input type="password" name="password" />
Here is a simple demo http://jsfiddle.net/cPaEN/
#JohnHartsock: You can also write type="password". It's acceptable in aspx.
<asp:TextBox ID="txtBox" type="password" runat="server"/>
I think this is what you are looking for
<asp:TextBox ID="txbPass" runat="server" TextMode="Password"></asp:TextBox>
Simply select texbox property 'TextMode' and select password...
<asp:TextBox ID="TextBox1" TextMode="Password" runat="server" />