tags:

views:

430

answers:

2
+2  Q: 

asp.net mvc html.password set value

Hi all,

I've got a html.password helper control on an edit profile type screen. Is there a way to set the value of this when the page first loads so that if the user doesn't want to change their password, the existing one gets passed back to the controller.

Thanks Nick

+3  A: 

I know this isn't a direct answer to your question, but coming at this from the user's point of view, would the user want their password being transmitted like this. I know I would not want any of my passwords transmitted anywhere unless it was absolutely necessary.

Most sites that I've seen only require a new password in the profile screen if it needs to be changed. If it is to remain the same and not updated the blank password fields are an indication of that. It also means that you can store the passwords in a more secure way (e.g. a one way salted hash) that does not permit password retrieval in any way (which if they could be retrieved would be a potential security risk in itself)

Colin Mackay  2009-07-11 14:58:09
I agree with this, but I suppose there may be certain use cases where this may be useful.
tvanfosson  2009-07-11 15:03:24
In which use cases would it be helpful to have the website pre-populate the update password fields on a form with the existing password over leaving the password fields blank?
Colin Mackay  2009-07-11 15:13:58
The question was not about "In which use-cases would it be helpful?" but about "how to do this?".
eu-ge-ne  2009-07-11 15:16:57
I do understand your comment Colin and I may re-consider the workflow of the process.
Nick Swan  2009-07-11 15:19:38
@eu-ge-ne My comment was in response to tvanfosson. I realise what the original question was, but if I think the original question points in the wrong direction (or down an ineffcient path) then I will always point that out. I cannot force the original poster to accept my advice, but I offer it freely in case it is useful or it is something that was not originally thought about.
Colin Mackay  2009-07-11 15:23:13
@Colin - just speculating, let's say your application allowed the user to synchronize with a third-party web site. You need to get their credentials for the external site. As a convenience, on the page where you get those credentials you supply the user's existing id/password for your site in case the user wants to reuse them for the other site.
tvanfosson  2009-07-11 15:24:03
To tie all these together, the simplest way to solve the problem is to test whether the user entered anything in the password field, and then follow normal processes to change the password. As Colin pointed out, best-practices would prevent the password from being retrieved anyway.
GalacticCowboy  2009-07-11 15:28:42
@Colin Mackay - Your answer is helpfull. But I totally agree with tvanfosson's comment - you can not cover all possible situations
eu-ge-ne  2009-07-11 15:33:55
I agree that there will always be some cases where you want to show the existing password. However, you don't do that be pre-populating the password field, but by writing it out as plain text. Pre-populating the password field is an *unnecessary* case of transmitting the user's password.
James S  2009-07-12 12:12:45
+4  A: 

Html.Password helper does not use ViewData automatically (see ASP.NET MVC source, InputExtensions.cs file, line 78, line 184). You need something like this:

<%= Html.Password("password", ViewData["password"]) %>

UPDATED:

Tested in Opera 10b, Firefox 3.5, Internet Explorer 8

eu-ge-ne  2009-07-11 15:10:29
The HTML spec is somewhat fuzzy on this, but some browsers will not render an initial value for a "password" field, so you have to resort to additional data-binding or Javascript tricks to set a value.
GalacticCowboy  2009-07-11 15:32:06
For example Opera10b and Firefox 3.5 renders
eu-ge-ne  2009-07-11 15:36:22
IE8 renders too
eu-ge-ne  2009-07-11 15:39:20
Yeah, you're right. I know this used to be the case, because I've had to deal with it...
GalacticCowboy  2009-07-11 15:44:33
The HTML 4.01 spec states "Note that the current value is the text entered by the user, not the text rendered by the user agent.", and "The control's 'current value' is first set to the initial value. Thereafter, the control's current value may be modified through user interaction and scripts. A control's initial value does not change."
GalacticCowboy  2009-07-11 15:47:04

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data