1

I'm using a PasswordBox on a Page. Because of the implemented workflow the user can navigate to sub pages (NavigationWindow) and than return with GoBack() to the main page.

But when doing that, the password box is always empty! My job is to prevent that behaviour, but at the moment I have no clue how do achive that.

It would be great if you could help me out. Thanks

jv42
  • 8,521
  • 5
  • 40
  • 64
BitKFu
  • 3,649
  • 3
  • 28
  • 43
  • I'm just wondering why you want to turn that off? Navigating away from the login page without having logged in cancels the process, it's fine to start over. Security should be - in this case (IMHO) - valued higher than usability. If for some reason you need to refer to the password in codebehind ever and ever again, you should consider rethinking your architecture. Either by saving the password in a viewmodel after login or by completely rethinking your login-logout model. – Sascha May 28 '12 at 11:07
  • Hi Sascha. This is not the login page, but the configuration page where you can set the password. The Navigation to sub pages is for setting options. I don't want to store page by page to the database. I want to store all options at once, when the user saves them. So I must keep them in memory until the user presses "Save". – BitKFu May 28 '12 at 14:06

2 Answers2

2

It is a feature.

See: How to bind to a PasswordBox in MVVM

To enable the backward navigation the state of the page needs to be stored. And that is not secure.

Community
  • 1
  • 1
Emond
  • 50,210
  • 11
  • 84
  • 115
  • but even with this solution the password is only stored in the ViewModel, but not in the View. I want the PasswordBox to keep the password when the user navigates back from a subpage. As I said above, this is not the login page, but the configuration page where the user can set his password. – BitKFu May 28 '12 at 14:08
  • even then (it is)/(they consider it) a potential security threat – Emond May 28 '12 at 15:26
-1

I don't think his exact problem is a feature, but a bug of the navigation service.

In your code behind you have no easy way to distinguish between the navigation control blanking your password on navigation or the user blanking it by deleting it from the box. So if you don't consider that, your password in your viewmodel will always be blank if you navigate to another page.

I used this hack to determine who called my password changed handler to update the view model:

private void PasswordBox_OnPasswordChanged(object sender, RoutedEventArgs e)
{
    StackTrace stack = new StackTrace();
    StackFrame[] stackframes = stack.GetFrames();
    foreach (StackFrame stackFrame in stackframes)
        if(stackFrame.GetMethod().Name == "Navigate")
            return;
    ViewModelPassword = PasswordBox.SecurePassword;
....

Take a look here too: http://www.wpfsharp.com/2011/04/08/wpf-navigationservice-blanks-passwordbox-password-which-breaks-the-mvvm-passwordhelper/

ecreif
  • 1,182
  • 1
  • 12
  • 25