BuyLog In
Ticket T343674
Visible to All Users
Duplicate

We have closed this ticket because another page addresses its subject:

PropertiesTextEdit and password

Password field context dissapearing

created 9 years ago (modified 9 years ago)

Hello,
in relation to the previous post T343397 (“Security: empty password”), empty passwords are no more allowed in my ASP.NET XAF system.
Of course is now needed to set the password during new user creation process. So I had added two more fields called “Password” and “Password again”, both configured as IsPassword=True in the model editor.

I’m asking you for help with one small inconvenience. The password value always disappears when any popup windows is shown.
Usual steps will be to set the username, then passwords, then choose the user roles. But when lookup window for user role is shown, passwords disappear. For some security reasons probably. See the video attached.

Is there any way how to prevent it?
Thanks

Sign in to comment on this post

Answers approved by DevExpress Support

created 9 years ago (modified 8 years ago)

Hello,

Please pardon my delayed response. It took me some additional time to re-check this known and designed behavior of standard ASP.NET Microsoft and third-party text editors with the latest product versions:
UI.Web - The entered password disappears after PostBack or CallBack in the Logon form
PropertiesTextEdit and password

It is also not a good idea to express the password field directly in the detail form and allow end-users to edit it along with other fields (as shown in your video). At least, this is now how it is done in the most web applications to ensure the best security. In common web applications the password field is not directly shown on the form, but rather implemented in a more sophisticated way. For instance, in XAF in the security user entity we have the following hidden field:

Code
[Browsable(false)]  
        [Size(SizeAttribute.Unlimited)]  
        [Persistent]  
        [SecurityBrowsable]  
        protected string StoredPassword {  
            get { return storedPassword; }  
            set { SetPropertyValue("StoredPassword", ref storedPassword, value); }  
        }

This field can be set only by calling a separate method:

Code
public void SetPassword(string password) {  
            StoredPassword = SecurityUserBase.GeneratePassword(password);  
        }

Take special note that it is best practice not to store the password as is, but rather store its salted hash.

As for editing the password, a separate form is often used. For instance, in XAF, there is the standard ChangePasswordController class that provides a specialized ChangeMyPassword command for that purpose (check out this link for more details…).

    Show previous comments (1)
    Dennis Garavsky (DevExpress) 9 years ago

      >>But when he deletes StoredPassword field content, he have free access to the system where all the data are decrypted.
      If you want, you can reject such users with empty passwords during the logon procedure.

      >>So as result, here are two options only, right?
      Yes, you are correct.

      >>(and what if user cancels it?)
      Would you please provide step-by-step instructions for your scenario and describe your problems with it?

      D D
      DKx 9 years ago

        >> If you want, you can reject such users with empty passwords during the logon procedure.
        Yes I know. And I have it implemented. Your colleague advised me that in T343397 Security: empty password.

        >> Would you please provide step-by-step instructions

        As I understand, you advised me:

        1. A new user record is created
        2. StoredPassword is empty by default (so the user cannot log on ever due to protection described above)
        3. Save record
        4. And … somehow (on DefaultWebModificationController?) display change password dialog directly, as a popup window.

        And I said, what happens when user clicks on Cancel button of popup window? The user password remains unchanged. User will be not able to log on until admin changes his password regularly.
        Yes, it's user fault, but … I don't know, this seems to be strange procedure for me.

        Dennis Garavsky (DevExpress) 9 years ago

          >>Yes I know. And I have it implemented. Your colleague advised me that in T343397 Security: empty password.
          Great, thanks for the info!

          >>And I said, what happens when user clicks on Cancel button of popup window? The user password remains unchanged…
          Thanks for your clarification. Yes, it is a possible situation. If this is a real and confirmed problem for your clients and administrators, you can consider alternative options. As I mentioned above, XAF provides plenty of built-in options that may meet your needs better: eXpressApp Framework > Concepts > Security System > Passwords in the Security System . For instance, the built-in "Change Password On First Logon" and "Reset Password" options seem to be the easiest ones for your administrators.

          Sign in to comment on this post

          Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

          Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.