Hi, A quick question. I've got two textboxes running server side and have their visibility turned off. I'm using a couple of ASP.NET controls which require the textboxes to exist. However, I am filling them from the code behind and would not like the user to see this. Can the user turn the visibility on and see the values entered in the text box? I tried using FireBug, and I couldn't seem to select the visibility option in order to edit it. However, I'm quite new to Firebug, so there may be another way? Or does running it server side mean that the client can't ever view the contents of the textbox? Thanks
+1
A:
Using the server side property of Visible set to false will cause the controls to not be rendered at all in the browser, which means the user wouldn't have a way to view them in page source or anything.
If however you use CSS display property set to none, the control is actually rendered and just not visible in the browser...although, since it's a server side control, the value would be on the Viewstate which is encrypted and the user would need to be tech savvy to actually get to the control values
silverCORE
2010-01-30 19:51:51
What's in the ViewState is a copy of the original value, the actual value is in the value attribute in the element, in plain text. The user doesn't have to be more savvy than to use the "View Source" option to see the value.
Guffa
2010-01-30 20:11:21
@Guffa that's not necessarily true. Also, the values in ViewState are at the very least encoded, though they can also be encrypted. Even aside from that the structure of ViewState is not documented so there is no reliable way to decode it.
Eilon
2010-01-30 20:33:17
I've tried looking at the page source, but couldn't find anything. So to confirm, if I use `<runat="server" visible="false"/>` for my textboxes, then the client cannot ever see these values? Or are you saying that even if the data is not rendered, it is still passed in the ViewState (which can easily be decoded)?Thanks
Skoder
2010-01-30 21:07:42
@Eilon: You are mistaken. If you use CSS to hide the control the value is definitely visible in the source code as plain text.
Guffa
2010-01-31 02:06:25
@Skoder: If you use the Visible propery to keep the control from rendering, the value is no easily seen. The ViewState can be decoded, but not without some kind of tool. You can turn off ViewState for the control to keep the value from ending up in the source code at all, but then you have to put the value in the control every time the page loads.
Guffa
2010-01-31 02:10:58
@Guffa - Thanks. I'll turn the viewstate off. The value is always unique to the user and loaded just the once, so it shouldn't be too much of a problem.
Skoder
2010-01-31 02:13:22