locked
view and edit password using razor RRS feed

  • Question

  • User-1566284277 posted

    hi everyone how are 

     i have a page that display the information of the user so that he can edit them if he want .

    so its suppose that it display its information included password (as dots) and when he edit it also edit it in dots mode 

    but i dont know how to do that in view

    so if i used @html.password or @html.passwordfor 

    both of them get me empty text box 

    and if i used @html.textboxfor it will get value but not in dots mode 

    i try also @html.textboxfor(x=>x.passowrd,"****",new { htmlAttributes = new { @class = "form-control" } })

    but if i changed password didnt apear in dots mode and if i didnt changed it then it will store password = **** (not the same old password)

    how can i edit that situation

    Monday, March 22, 2021 11:16 AM

All replies

  • User475983607 posted

    You are creating s security vulnerability by returning the password.  The user should enter their current password along with the new password.

    Visual Studio templates have password recovery source code.   Create a new MVC project using the "Individual Account" option. This template has forgot password and reset password features.  I recommend taking a look at the code.

    https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity

    Monday, March 22, 2021 11:53 AM
  • User323983933 posted

    If you look in your database in the table ASPNETUSERS, you'll see that the password is not stored.

    The system creates a Password Hash.  https://www.quora.com/What-is-a-hashed-password?share=1

    Running the hash algorithm on the same password will always produce the same hash, but there is no way to unhash the hash back into a password.  This is a STANDARD security configuration.  If you want to store passwords in the clear, you might as well not have passwords or logins, as you have just lowered your security level to zero.

    When the system asks you for the password, it hashes whatever you type in, and compares the hash to the database. 

    ALSO: you should NEVER run a login page without HTTPS://.  On HTTP:// the password text is sent in the clear.  Even in a corporate intranet environment, malware might be able to intercept the request and record users login/password combo.

    Monday, March 22, 2021 5:28 PM
  • User1686398519 posted

    Hi samaremad, 

    1. so its suppose that it display its information included password (as dots) and when he edit it also edit it in dots mode 
      1. You can use Html.Password() or Html.PasswordFor() to meet your needs.
        1. You need to set the input value.
          1. so if i used @html.password or @html.passwordfor 

            both of them get me empty text box

          2. If you do not set the input value, "@Html.PasswordFor()" and "Html.Password()" will render the following html on the razor view:
            • <input id="Password" name="Password" type="password">
          3. Therefore your rendered input has no value.
        2. You can write it like this:
          1. @Html.PasswordFor(m => m.Password, new { value = Model.Password })
          2. @Html.Password("Password", Model.Password)
        3. Result:
    2. But this is not a safe way. If your password is in plain text,you can view the hidden password through F12 in your browser.
      1. <input type="password">:<input> elements of type password provide a way for the user to securely enter a password
      2. Regarding editing a user’s password, you can ask the current user to enter the old password and then enter the new password. Only when the old password is correct, can it be successfully changed to the new password.
      3. I wrote a simple example, you can refer to it.
        1. Model
          •     public class TestPasswordModel
                {
                    public string Password { get; set; }
                }
        2. Controller
          •         public ActionResult Index()
                    {
                        TestPasswordModel model = new TestPasswordModel {Password="test"};
                        return View(model);
                    }
                    [HttpPost]
                    public ActionResult Index(TestPasswordModel model,string NewPassword)
                    {
                        //This is just a simple judgment, you need to modify it according to your own situation
                        if (model.Password== "test")//Judge whether the old password entered by the current user is correct
                        {
                            /*It’s best not to store the password in plain text, here is just a simple example*/
                            //If the current user’s old password matches, it can be changed to a new password
                            model.Password = NewPassword;
                            //Modify the value in the database
                        }
                        return RedirectToAction("Index");
                    }
        3. View
          • @using (Html.BeginForm("Index", "TestPassword", FormMethod.Post))
            {
                <p>Old Password:</p>@Html.PasswordFor(m => m.Password)
                <p>New Password:</p>@Html.Password("NewPassword")
                <button type="submit">edit</button>
            }

    Best Regards,

    YihuiSun

    Tuesday, March 23, 2021 9:59 AM