HOW TO: Protect Passwords in WML Devices (309518)


The information in this article applies to:

  • Microsoft Mobile Internet Toolkit (MMIT)
This article was previously published under Q309518

IN THIS TASK

SUMMARY

This article describes how to control password security on Wireless Markup Language (WML) mobile devices.

back to the top

More Information

Routinely, users who browse to Web sites must type their user name and password before they enter secured pages. Some WML browsers save the values that you typed in for your credentials in the device's memory. However, in some cases, if you browse to another site that contains a variable with the same name of the variable that was saved in memory from the previous site, the new site can obtain the value of the variable. If this variable is your password, your password is transferred to the new site without your knowledge.

To avoid this potential problem, the Microsoft Mobile Internet Toolkit offers two solutions:
  • Set the Password attribute to "true."
  • Use the useRandomId custom attribute.
Both solutions encrypt the client indentifier on the control before sending the WML deck to the client. This makes it more difficult for any text boxes to clash names between sites or malicious pages. For example, if both sites use the txtPassword text box to store the password, Microsoft Mobile Internet Toolkit uses txtPassword on the server and some randomly generated word on the client.

back to the top

Set the Password Attribute to "True"

When you use a mobile TextBox control as a password text box, set the Password attribute to "true" as follows: 
<mobile:TextBox id=TextBox1 runat="server" Password="True"></mobile:TextBox>
back to the top

Use the useRandomId Custom Attribute

On the mobile TextBox control, use the useRandomId custom attribute as follows: 
<mobile:TextBox id="Textbox1" runat="server" useRandomId="true"> </mobile:TextBox>
You can also use the following code to set the useRandomID attribute programmatically.

Microsoft Visual Basic .NET

Textbox1.CustomAttributes.Add("useRandomId", "true")

Microsoft Visual C# .NET

Textbox1.CustomAttributes.Add("useRandomId", "true");
When you use custom attributes, such as useRandomID, you must enable the use of custom attributes in your mobile Web application. To do this, add the following code in the Web.config file for the mobile Web application: 
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
   <system.web>
      <mobileControls allowCustomAttributes="true" />
   </system.web>
</configuration>
NOTE: If you do not set allowCustomAttributes to true, you receive the following error message:
Cannot set custom attributes on mobile controls in this page.
back to the top
Modification Type:MajorLast Reviewed:10/26/2002
Keywords:kbDSupport kbhowto kbHOWTOmaster kbSecurity kbServerControls kbWMLDevice KB309518 kbAudDeveloper
©2002 Microsoft Corporation. All rights reserved.