Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

(835388) - Explains that the password is displayed incorrectly when it is requested by using the Request.ServerVariables(AUTH_PASSWORD) object in an ASPX page when the password contains certain special characters.

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks

BUG: The Request.ServerVariables("AUTH_PASSWORD") object does not display certain characters from an ASPX page

Article ID: 835388 - View products that this article applies to.

On This Page

SYMPTOMS

When an ASPX page is requested with a password that has characters such as Æ, ç, €, œ, ž, or £, the Request.ServerVariables("AUTH_PASSWORD") object omits these characters when the password is displayed.
Back to the top | Give Feedback

WORKAROUND

To work around the behavior that is described in the "Symptoms" section of this article, follow these steps:
  1. Start Notepad.
  2. Paste the following code in Notepad:
    <%
	Dim header as string
	Dim ticket as string		
	Dim GetAuthPassword as string
		header=Request.ServerVariables("HTTP_AUTHORIZATION")
		If  header.StartsWith("Basic") or header ="" then
			ticket = header.Substring(6)
			ticket = System.Text.Encoding.Default.GetString(Convert.FromBase64String(ticket))
			response.write(ticket.Substring((ticket.IndexOf(":")+1)))
			GetAuthPassword	=ticket.Substring((ticket.IndexOf(":")+1))
		end if 
%>

AUTH_USER=<%=Request.ServerVariables("AUTH_USER") %><br>
AUTH_PAssword=<%=GetAuthPassword%>
  3. Save the file as ExampleASPX.aspx.

    Note ExampleASPX.aspx is a placeholder for the name of the .aspx file.
Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section of this article.
Back to the top | Give Feedback

MORE INFORMATION

Steps to reproduce the behavior

Create a user

  1. At a command prompt, create a local user by using the following command:
    net user MyUser "TestÆç123" /add
  2. Add the user to the Administrators group.

Create an ASP page

  1. Start Notepad.
  2. Paste the following code in Notepad:
    AUTH_USER=<%=Request.ServerVariables("AUTH_USER") %><br>
AUTH_Password=<%=Request.ServerVariables("AUTH_PASSWORD") %>
  3. Save the page as ExampleASP.asp.

    Note ExampleASP.asp is a placeholder for the name of the .asp file.

Create an ASPX page

  1. In Notepad, paste the following code:
    AUTH_USER=<%=Request.ServerVariables("AUTH_USER") %><br>
AUTH_PASSWORD=<%=Request.ServerVariables("AUTH_PASSWORD") %><br>
  2. Save the page as ExampleASPX.aspx.

    Note ExampleASPX.aspx is a placeholder for the name of the .aspx file.

Put the files in a folder

Create a folder in C:\Inetpub\wwwroot that is named Test, and then put the created files to this folder.

Note Test is a placeholder for the name of the folder.

Create a virtual directory in Internet Information Services (IIS)

  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Internet Services Manager.
  3. In the Internet Information Services window, double-click the computer name, and then click Default Web Site.
  4. On the Action menu, point to New, and then click Virtual Directory.
  5. Complete the Virtual Directory Creation Wizard. Map the folder Test to a virtual directory in IIS. Name the virtual directory in IIS as TestApplication.

    Note TestApplication is a placeholder for the virtual directory name in IIS.

Set the directory security of the virtual directory

  1. In IIS, click the virtual directory in IIS that was created in the "Create a virtual directory in Internet Information Services (IIS)" section of this article.
  2. On the Action menu, click Properties. The TestApplication Properties dialog box appears.
  3. On the Directory Security tab, click Edit under Anonymous access and authentication control. The Authentication Methods dialog box appears.
  4. Click to clear the Anonymous access check box, and then click to select the Basic authentication (password is sent in clear test) check box. A warning message appears.
  5. Click Yes.
  6. Click to clear the Integrated windows authentication check box, and then click OK two times.

Access the ASP page from Internet Explorer

  1. Start Microsoft Internet Explorer.
  2. In the address bar, type the following URL:
    http://WebServerName/TestApplication/ExampleASP.asp
    Note WebServerName is a placeholder for the name of the Web server.
  3. Click Go.
  4. In the dialog box that appears, type MyUser in the User Name box, and then type TestÆç123 in the Password box.

    Note MyUser is the user name and TestÆç123 is the password that were created in step 1 of the "Create a user" section of this article.
  5. Click OK.

    Notice that the user name and the password with which the ASP page is being accessed appears correctly.

Access the ASPX page from Internet Explorer

  1. Start Internet Explorer.
  2. In the address bar, type the following URL:
    http://WebServerName/TestApplication/ExampleASPX.aspx
    Note WebServerName is a placeholder for the name of the Web server.
  3. Click Go.
  4. In the dialog box that appears, type MyUser in the User Name box, and then type TestÆç123 in the Password box.

    Note MyUser is the user name and TestÆç123 is the password that you created in the "Create a User" section of the article.
  5. Click OK.
Notice that the user name that the ASPX page is accessed with is displayed correctly but that the password that the ASPX page is accessed with appears incorrectly. The characters that are specified in the password are omitted.
Back to the top | Give Feedback

REFERENCES

For more information, visit the following Microsoft Developer Network (MSDN) Web sites:
http://msdn2.microsoft.com/en-us/library/x6w6xys5(vs.71).aspx
(http://msdn2.microsoft.com/en-us/library/x6w6xys5(vs.71).aspx)


http://msdn2.microsoft.com/en-us/library/system.web.httprequest.servervariables(vs.71).aspx
(http://msdn2.microsoft.com/en-us/library/system.web.httprequest.servervariables(vs.71).aspx)
Back to the top | Give Feedback

Properties

Article ID: 835388 - Last Review: May 17, 2007 - Revision: 1.4
APPLIES TO
  • Microsoft ASP.NET 1.1
  • Microsoft .NET Framework 1.0
Keywords: 
kbauthentication kbuser kbsymbols kbserver kbhttp kbbug KB835388
Back to the top | Give Feedback
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Paul Noeldner - noeldp NOSPAM-AT-NOSPAM dwd.state.wi.us Reported as Irrelevant  
Written: 4/28/2004 1:40 PM
I cannot believe it is considered a 'bug' that a logon password is NOT being revealed to code! Where is the solution to PREVENT application code from ever seeing the password?



Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting