Can not access UserName and Password textbox in login template

Question

User426001450 posted

I do have the following HTML markup for a login control:

 <asp:Login ID="Login1" runat="server" RememberMeSet="true" DestinationPageUrl="~/Default.aspx" >
       
        <LayoutTemplate>
            <table border="0" cellpadding="4" cellspacing="0" style="border-collapse: collapse">
                <tr>
                    <td>
                        <table border="0" cellpadding="0" style="width: 330px; height: 271px">
                            <tr>
                                <td align="center" style="font-weight: bold; font-size: 0.9em; color: white; background-color: #1c5e55; width: 326px;">
                                    Log In</td>
                            </tr>
                            <tr>
                                <td align="center" style="color: black; font-style: italic; width: 326px;">
                                    Please enter your Username and Password and click "Log In".</td>
                            </tr>
                            <tr>
                                <td style="width: 326px">
                                    <asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName">Username:</asp:Label></td>
                            </tr>
                            <tr>
                                <td style="width: 326px">
                                    <asp:TextBox ID="UserName" runat="server" Font-Size="0.8em"></asp:TextBox>
                                    <asp:RequiredFieldValidator ID="UserNameRequired" runat="server" ControlToValidate="UserName"
                                        ErrorMessage="User Name is required." ToolTip="User Name is required." ValidationGroup="Login1">*</asp:RequiredFieldValidator>
                                </td>
                            </tr>
                            <tr>
                                <td style="width: 326px">
                                    <asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password">Password:</asp:Label></td>
                            </tr>
                            <tr>
                                <td style="width: 326px">
                                    <asp:TextBox ID="Password" runat="server" Font-Size="0.8em" TextMode="Password"></asp:TextBox>
                                    <asp:RequiredFieldValidator ID="PasswordRequired" runat="server" ControlToValidate="Password"
                                        ErrorMessage="Password is required." ToolTip="Password is required." ValidationGroup="Login1">*</asp:RequiredFieldValidator>
                                </td>
                            </tr>
                            <tr>
                                <td style="width: 326px">
                                    <asp:CheckBox ID="RememberMe" runat="server" Text="Remember me next time." />
                                </td>
                            </tr>
                            <tr>
                                <td align="center" style="color: red; width: 326px;">
                                    <asp:Literal ID="FailureText" runat="server" EnableViewState="False"></asp:Literal>
                                </td>
                            </tr>
                            <tr>
                                <td align="right" style="width: 326px">
                                    <asp:Button ID="LoginButton" runat="server" BackColor="White" BorderColor="#C5BBAF"
                                        BorderStyle="Solid" BorderWidth="1px" CommandName="Login" Font-Names="Verdana"
                                        Font-Size="0.8em" ForeColor="#1C5E55" Text="Log In" ValidationGroup="Login1" OnClick="LoginButton_Click" />
                                </td>
                            </tr>
                        </table>
                    </td>
                </tr>
            </table>
        </LayoutTemplate>
    </asp:Login>
    <br />


   

I would like to access the UserName and Password textbox from code behind like this:

 Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load

        If Not IsPostBack Then
          If ((Not (Request.Cookies("UserName")) Is Nothing) _
            AndAlso (Not (Request.Cookies("Password")) Is Nothing)) Then
             UserName.Text = Request.Cookies("UserName").Value
              Login1.FindControl("UserName"). = Request.Cookies("UserName").Value
               Password.Attributes("value") = Request.Cookies("Password").Value
          End If
        End If

 End Sub


    Protected Sub LoginButton_Click(sender As Object, e As EventArgs)

          If RememberMe.Checked Then
             Response.Cookies("UserName").Expires = DateTime.Now.AddDays(30)
             Response.Cookies("Password").Expires = DateTime.Now.AddDays(30)
          Else
             Response.Cookies("UserName").Expires = DateTime.Now.AddDays(-1)
             Response.Cookies("Password").Expires = DateTime.Now.AddDays(-1)
          End If
           Response.Cookies("UserName").Value = UserName.Text.Trim
           Response.Cookies("Password").Value = Password.Text.Trim

    End Sub

But the problem is that the code behind is giving me error. I can not access none of the textboxes from code behind. It is my understanding that this is because both textbox are inside the login control template. I tried "find control" but is not working either. Thanks all for your help.

 

Answer 1

User-1716253493 posted

Access it by Login1.UserName and Login1.Password

Answer 2

User426001450 posted

Login1.UserName works fine as : Login1.UserName = Request.Cookies("UserName").Value.ToString

But the following two are not working:

Login1.Password = Request.Cookies("Password").Value.ToString  **** no working

Login1.RememberMe.Checked  *** no working

Any thoughts on that?

Thanks

Answer 3

User-943250815 posted

Sorry if I´m loosing something here. But why compare User & Password with Cookie?
I use Membership with Login control and just need to check Membership.ValidateUser(Login1.Username, Login1.Password)

Answer 4

User426001450 posted

Sorry if I´m loosing something here. But why compare User & Password with Cookie?
I use Membership with Login control and just need to check Membership.ValidateUser(Login1.Username, Login1.Password)

That may work if user is already log, but in my case user is not. Thanks

Answer 5

User753101303 posted

Hi,

And you don't have an error message? My guess is that those values are read-only for safety reasons. This is the same in HTML ie you can't programmatically assign a value to an input type=password field.

It seems you are trying to reimplement your own "remember me" and/or "password manager" ? It is already handled by ASP.NET and most if not all browsers. Also your approach seems really unsecure as you'll store a clear text password in a cookie.

IMHO you should just use the available existing features. Or explain which benefit you are trying to get but doing this again another way.

Answer 6

User426001450 posted

PatriceSc

It seems you are trying to reimplement your own "remember me" and/or "password manager" ? It is already handled by ASP.NET and most if not all browsers. IMHO you should just use the available existing features. 

If that is the case, please provide code sample or link in what a 'remember me' will work and where users do not have to enter the username and password again to login. In other words the site will remember users and will allow them to enter (login) automatically. Your sample should be in VB since that is the language that I'm working with.

Thanks very much for trying to help 

Answer 7

User-943250815 posted

When user is not logged just check with sample, bellow I know if user is logged or not, prepare my captcha and login control do all the rest for me

If Not HttpContext.Current.User.Identity.IsAuthenticated Then
   MakeCaptcha()
Else
 ' Check if user is on same SessionID
Endif

Answer 8

User475983607 posted

If that is the case, please provide code sample or link in what a 'remember me' will work and where users do not have to enter the username and password again to login. In other words the site will remember users and will allow them to enter (login) automatically. Your sample should be in VB since that is the language that I'm working with.

The FormsAuthentication.RedirectFromLoginPage() method takes the RememberMe.Checked as a parameter. When set to true the Forms Auth cookie is persisted.  The following doc(s) found in the learn link above shows the code.

https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/membership/validating-user-credentials-against-the-membership-user-store-vb

Protected Sub LoginButton_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles LoginButton.Click

 ' Validate the user against the Membership framework user store
 If Membership.ValidateUser(UserName.Text, Password.Text) Then
 ' Log the user into the site
 FormsAuthentication.RedirectFromLoginPage(UserName.Text, RememberMe.Checked)
 End If
    
 ' If we reach here, the user's credentials were invalid
 InvalidCredentialsMessage.Visible = True
End Sub

The Forms Auth cookie timeout is configured in the web.config.

<authentication mode="Forms">
  <forms loginUrl="~/login.aspx" timeout="2880" />
</authentication>

https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.formsauthenticationconfiguration?view=netframework-4.7.2

Answer 9

User426001450 posted

When user is not logged just check with sample, bellow I know if user is logged or not, prepare my captcha and login control do all the rest for me

If Not HttpContext.Current.User.Identity.IsAuthenticated Then
   MakeCaptcha()
Else
 ' Check if user is on same SessionID
Endif

This is my scenario. The login session expired after an idle hour. User got in front of the computer after that, click something and found that is not log. The site take him to the login page. Since he clicked "Remember me" when he first login hours ago, how could he possible get log again without providing username and password. It is possible? In your code you check if user is still in session. In my case he is not in session any longer, see the difference?

Thanks

 

Answer 10

User475983607 posted

This is my scenario. The login session expired after an idle hour. User got in front of the computer after that, click something and found that is not log. The site take him to the login page. Since he clicked "Remember me" when he first login hours ago, how could he possible get log again without providing username and password. It is possible? In your code you check if user is still in session. In my case he is not in session any longer, see the difference?

Please read the linked docs above.

Answer 11

User753101303 posted

And for the "password manager" see https://support.1password.com/disable-browser-password-manager/ (this site serve some other purpose but it shows where it is for each browser).

At some point HTML even dropped the ability for site authors to disable password managers to keep users in control and avoid a possibly counter productive situation. It pushes everybody to use simple passwords, to reuse passwords or even to keep them handy.

On the other side, it can be misused but other users are still able to take advantage of it.

Edit: for the 3rd point it seems a confusion between the browser session which is unrelated to the user authentication and more likely it should be handled separately. Depending on what happens when the browser session expires :
- you could make it longer so that it expires after the user authentication expired
- or the app could be written to be not sensitive to that siutation (for example using session values as a kind of user cache ie reloading missing session values as needed).

Answer 12

User-943250815 posted

@vstorpedo,
In my case user is not allowed multiple logins, so if user try to logon on another machine or browser, the first session will be logged out, and user have to loggin again, a kind of follow-me.
I think "Remember Me" you mention, is the resource offered by browsers, just to make life easy, so if I want to make my user life easy, I just remove authentication.
So between make life easy and data secure, you have to choose where you sit, there an average point where you can be confortable, and resources are already pointed by @mgebhard and @PatriceSC

In addition to all alredy posted and "IF I´M NOT WRONG"
ASP.Net forms authentication "session" renew its authentication ticket only when the total escape time exceeds the half of the configured timeout
Default Session Timeout is 20 minutes, so if user still working authentication time will be extended
For Session Tiemout check https://docs.microsoft.com/en-us/dotnet/api/system.web.sessionstate.httpsessionstate.timeout?view=netframework-4.7.2