Microsoft KB Archive/309518

= HOW TO: Protect Passwords in WML Devices =

Article ID: 309518

Article Last Modified on 10/26/2002

-

APPLIES TO


 * Microsoft Mobile Internet Toolkit 1.0

-



This article was previously published under Q309518



IN THIS TASK
SUMMARY
 * More Information
 * Set the Password Attribute to &quot;True&quot;
 * Use the useRandomId Custom Attribute



SUMMARY
This article describes how to control password security on Wireless Markup Language (WML) mobile devices.

back to the top

More Information
Routinely, users who browse to Web sites must type their user name and password before they enter secured pages. Some WML browsers save the values that you typed in for your credentials in the device's memory. However, in some cases, if you browse to another site that contains a variable with the same name of the variable that was saved in memory from the previous site, the new site can obtain the value of the variable. If this variable is your password, your password is transferred to the new site without your knowledge.

To avoid this potential problem, the Microsoft Mobile Internet Toolkit offers two solutions:
 * Set the Password attribute to &quot;true.&quot;
 * Use the useRandomId custom attribute.

Both solutions encrypt the client indentifier on the control before sending the WML deck to the client. This makes it more difficult for any text boxes to clash names between sites or malicious pages. For example, if both sites use the txtPassword text box to store the password, Microsoft Mobile Internet Toolkit uses txtPassword on the server and some randomly generated word on the client.

back to the top

Set the Password Attribute to &quot;True&quot;
When you use a mobile TextBox control as a password text box, set the Password attribute to &quot;true&quot; as follows:  back to the top

Use the useRandomId Custom Attribute
On the mobile TextBox control, use the useRandomId custom attribute as follows:   You can also use the following code to set the useRandomID attribute programmatically.

Microsoft Visual Basic .NET
Textbox1.CustomAttributes.Add(&quot;useRandomId&quot;, &quot;true&quot;)

Microsoft Visual C# .NET
Textbox1.CustomAttributes.Add(&quot;useRandomId&quot;, &quot;true&quot;); When you use custom attributes, such as useRandomID, you must enable the use of custom attributes in your mobile Web application. To do this, add the following code in the Web.config file for the mobile Web application:     NOTE: If you do not set allowCustomAttributes to true, you receive the following error message:

Cannot set custom attributes on mobile controls in this page.

back to the top

Additional query words: name clashing conflicts

Keywords: kbhowto kbhowtomaster kbwmldevice kbsecurity kbservercontrols KB309518

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.