How to hide value in HTML hidden field for auto logon page?

Hi,

We have a basic ASP.NET page that takes the user's username and password and logs them into an externally hosted web app through its logon page.

It works by retrieving the username password from our internal database, adding these to HTML hidden fields and using the POST method to submit into the external web app login page.

The only problem is that if you "view souce" while the ASP.NET page is loading, you are able to see the password.

Does anyone know how I can hide the "hidden" HTML field so it wont be visible in "view source", or if there would be a better was to go about this in order to submit the username and password to the login form but keep the details hidden from the user?

Thanks.
bcrawley01Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

techExtremeCommented:
yes, you need to encrypt the values and then put it in the hidden field.
0
kostantinos1995Commented:
The right thing to do is to have the passwords in your database encrypted and the ones you pass at the forms. This means that no one (including you) can know the real password as you match the encrypted passwords.
The one you pass in your form is encrypted like this (ex. DDfg97jduh#%%dd95) and the one in the database id this (ex. DDfg97jduh#%%dd95)
0
bcrawley01Author Commented:
I wont be able to encrypt the password and put it in the hidden field as we do not have access to decrypt the password once submitted to the external web app as it is SAAS based. I need a way to hide the password or another method to pass the password to the external web apps login form from my end.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

burtonrhodesCommented:
You could "hide" it in a cookie.  However cookies are readable as well - just not as obviuos to the lay user.  The only downside of that is that is stays on the computer much longer than if it were just in a html hidden field.  

The only other method you may look into is javascript/ajax.  You could use javascript in a way that stores the plain text password in javascript variable (memory).  You could "inject" this field into the form when your users submit the form.  This is still "findable" by a javascript debugger though.

Unoftunately, if you don't encrypt it in some fashion as described above, it will be in plain text somehwere on the user's system.
0
codingbeaverCommented:
Hidden field just hides information from the web browser, not from the "view source". You can use SSL to post the data to the external site. Although, you still can see the source in your own browser, but no one else can see the data even the data is somehow intercepted by bad guys.
0
rdivilbissCommented:
You'll need more than SSL to do this securely, but that is a good place to start.

If the external app allows this, then it is likely vulnerable to CSRF.

Any routers between your login form and this application?  Are those controlled by you or the external vendor, or third parties?
0
techExtremeCommented:
Putting it in simple way: without encryption the way you want it to work, is not possible.
0
bcrawley01Author Commented:
OK, would this work then:

Encrypt the password server side within the ASP.NET page, then decrypt the password client side using JavaScript just before it is submitted to the external app login page?
0
rdivilbissCommented:
No
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
halceyonCommented:
You can look at using Session state to save the username/password.  It's not the most secure, but it will definitely remove it as easily viewable by right clicking and selecting "View Source"
0
codingbeaverCommented:
@halceyon,
You cannot send a Seesion variable from one site to another.
0
halceyonCommented:
ahhhh, i thought it was all in the same site....then encryption will be your only friend....
0
techExtremeCommented:
that is the only solution in your case
0
bcrawley01Author Commented:
So then how would I do this?

I retrieve the password from the database add it to the hidden field named "Password" which is the same as the password field in the external web app form and then submit this to the external form URL.

How can I add the password to session state and then retrieve it to submit to the external web app login form?
0
codingbeaverCommented:
You cannot share Session with another web site.
0
bcrawley01Author Commented:
Its not going to share with another site, its all within the site I am developing.

This is how it works:

My site - retrieves user name and password from database, adds this to the "username" and "password" fields of the external web app login form and then submits this to log into the external web app.

Everything is done on my end. I just need a way to "encyrpt" the password so if people "view source" my page they wont see the password in clear text as they currently do.
0
codingbeaverCommented:
Are you trying to use your site to authenticate user then redirect the user to the external web site so they don't have to type in username and password again?
0
bcrawley01Author Commented:
The external website has a logon page with "username", "password".

My siite will autmoate the login process so they will not need to enter their username and password, my site will populate that and submit it to the external site, logging them in.
0
codingbeaverCommented:
I would not suggest you to include the plain text of the password in your code. Since the password is synchronized between the two site, what you can do is this:
1. After you authenticate the user, generate a password hash with an one-way hash algorithm for the user.
2. Add the hashed password to post to the external web site. The external web site gets the username and retrieve the password, then use the same hash function to generate a hashed password.
3. Compare the two hashed passwords.

This way, no one can see the plain text of the password.
0
codingbeaverCommented:
We are posting at the same time.

It needs cooperation between your site and the external web site to make it as secure as possible, and also as transparent as possible for the end user. So you will need to ask the external web site what modification they can make, have they had the same issue before, if yes, how did they handle it, etc.
0
bcrawley01Author Commented:
Only problem with that is we have no access to modify the external site. It is a vendors site and will not allow it to be modified.
0
rdivilbissCommented:
If the vendors site is not modified there is no possible way to do this securely, period.

The only option is to have your users go directly to the vendors site and login there.  Based on what you said about their login form, I don't think the vendor is secure anyway, so your users should be using different credentials at that site so they don't expose their internal company userid and password with a vendor you may not be able to rely on to protect you user's credentials.

http://en.wikipedia.org/wiki/WS-Security is a correct standard (collection of methods) for securely communicating with outside vendors.
0
codingbeaverCommented:
Find another vendor who is willing to cooperate with your company, I am serious.

As rdivilbiss said, you may just let your user go to the vendor's site to login. They have their username and password anyway, right? What's more, if I were you, I would not feel comfortable to have all my customers' credentials stored in a vendor's database, too risky.
0
bcrawley01Author Commented:
Answers given but no solution found
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
HTML

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.