ModelState is cleared, but data still shows

Question

When a user logs in, the normal thing to do is NOT give the password back. I am attempting this in MVC 5, and cannot make it happen. I have tried model.PASSWORD = "", as well as ModelState.Clear(), but the data is still showing.

Controller:

public async Task<ActionResult> Login(Login model) {
    if(ModelState.IsValid) {
        User temp = await db.Users.Where(u => u.USERNAME == model.USERNAME).FirstOrDefaultAsync();
        if(temp != null) {
            try {
                if(Password.VerifyPass(model.PASSWORD, temp.PASSWORD)) {
                    LoginUser(temp);
                    return RedirectToAction("Index", "EMR");
                }
            } catch { }
        }
    }
    ModelState.Clear();
    model.PASSWORD = "";
    ModelState.AddModelError("", "Username/password is unknown, or model was invalid!");
    return View();
}

Model:

public class Login {

        [Display(Name = "Username")]
        public string USERNAME { get; set; }

        [Display(Name = "Password")]
        public string PASSWORD { get; set; }
    }
}

View:

@using(Html.BeginForm()) {
    @Html.AntiForgeryToken()
    <div class="form-horizontal">
        <hr />
        @Html.ValidationSummary(true, "", new { @class = "text-danger" })
        <div class="form-group">
            @Html.LabelFor(model => model.USERNAME, htmlAttributes: new { @class = "control-label col-md-2" })
            <div class="col-md-10">
                @Html.EditorFor(model => model.USERNAME, new { htmlAttributes = new { @class = "form-control" } })
                @Html.ValidationMessageFor(model => model.USERNAME, "", new { @class = "text-danger" })
            </div>
        </div>

        <div class="form-group">
            @Html.LabelFor(model => model.PASSWORD, htmlAttributes: new { @class = "control-label col-md-2" })
            <div class="col-md-10">
                @Html.EditorFor(model => model.PASSWORD, new { htmlAttributes = new { @class = "form-control", @type = "password" } })
                @Html.ValidationMessageFor(model => model.PASSWORD, "", new { @class = "text-danger" })
            </div>
        </div>

        <div class="form-group">
            <div class="col-md-offset-2 col-md-10">
                <input type="submit" value="Login" class="btn btn-success" />
            </div>
        </div>
    </div>
}

Upon looking at both the ModelState variable and the model variable in VisualStudio debug mode, they BOTH show the data as "". What could possibly be causing this?

Answer 1

First decorate your password field with Password Datatype.

public class Login 
{    
        [Display(Name = "Username")]
        public string USERNAME { get; set; }

        [Display(Name = "Password")]
        [DataType(DataType.Password)]
        public string PASSWORD { get; set; }        
}

And in the view, use the PasswordFor helper method.

@Html.PasswordFor(x=>x.PASSWORD)

With this, you do not need to explicitly set the password field to empty string. MVC will do that for you.

Answer 2

As I had commented, one possible solution is to simply use @Html.PasswordFor(). This will render an input that is semantically correct for password input, which implicitly will hint for the browser to not autofill. So, instead of @Html.EditorFor, try this:

@Html.PasswordFor(model => model.PASSWORD, new { htmlAttributes = new { @class = "form-control" })

Answer 3

@CalebHuggins it looks like it is the browser who is rememberign the input fields values and populates them. You can try setting autocomplete attribute of your textboxes to "off" to avoid this.

Your model bound textbox may look like as following.

@Html.TextBoxFor(x => x.Something, new { autocomplete="off" } )

Thnaks and regards, Chetan Ranpariya

Answer 4

i think its due to the browser cashing, annotate login action with

[OutputCacheAttribute(VaryByParam = "*", Duration = 0, NoStore = true)]

in addition to

return View(model);

Answer 5

You are not passed the model back to view after clear it.

return View(model);

Still not working try as below.

var newModel = new Login { Password = "" };
ModelState.Clear();
return View(newModel);