Article ID: 309518 - Last Review: October 26, 2002 - Revision: 1.0

HOW TO: Protect Passwords in WML Devices

Retired KB ArticleRetired KB Content Disclaimer
View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q309518

On This Page

Expand all | Collapse all

SUMMARY

This article describes how to control password security on Wireless Markup Language (WML) mobile devices.

Back to the top

More Information

Routinely, users who browse to Web sites must type their user name and password before they enter secured pages. Some WML browsers save the values that you typed in for your credentials in the device's memory. However, in some cases, if you browse to another site that contains a variable with the same name of the variable that was saved in memory from the previous site, the new site can obtain the value of the variable. If this variable is your password, your password is transferred to the new site without your knowledge.

To avoid this potential problem, the Microsoft Mobile Internet Toolkit offers two solutions:
  • Set the Password attribute to "true."
  • Use the useRandomId custom attribute.
Both solutions encrypt the client indentifier on the control before sending the WML deck to the client. This makes it more difficult for any text boxes to clash names between sites or malicious pages. For example, if both sites use the txtPassword text box to store the password, Microsoft Mobile Internet Toolkit uses txtPassword on the server and some randomly generated word on the client.

Back to the top

Set the Password Attribute to "True"

When you use a mobile TextBox control as a password text box, set the Password attribute to "true" as follows: 
<mobile:TextBox id=TextBox1 runat="server" Password="True"></mobile:TextBox>
Back to the top

Use the useRandomId Custom Attribute

On the mobile TextBox control, use the useRandomId custom attribute as follows: 
<mobile:TextBox id="Textbox1" runat="server" useRandomId="true"> </mobile:TextBox>
You can also use the following code to set the useRandomID attribute programmatically.

Microsoft Visual Basic .NET

Textbox1.CustomAttributes.Add("useRandomId", "true")

Microsoft Visual C# .NET

Textbox1.CustomAttributes.Add("useRandomId", "true");
When you use custom attributes, such as useRandomID, you must enable the use of custom attributes in your mobile Web application. To do this, add the following code in the Web.config file for the mobile Web application: 
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
   <system.web>
      <mobileControls allowCustomAttributes="true" />
   </system.web>
</configuration>
NOTE: If you do not set allowCustomAttributes to true, you receive the following error message:
Cannot set custom attributes on mobile controls in this page.
Back to the top
APPLIES TO
  • Microsoft Mobile Internet Toolkit 1.0
Back to the top
Keywords: 
kbhowto kbhowtomaster kbsecurity kbservercontrols kbwmldevice KB309518
Back to the top
Retired KB ArticleRetired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top