?
Solved

How to hide value in HTML hidden field for auto logon page?

Posted on 2010-01-10
24
Medium Priority
?
779 Views
Last Modified: 2012-05-08
Hi,

We have a basic ASP.NET page that takes the user's username and password and logs them into an externally hosted web app through its logon page.

It works by retrieving the username password from our internal database, adding these to HTML hidden fields and using the POST method to submit into the external web app login page.

The only problem is that if you "view souce" while the ASP.NET page is loading, you are able to see the password.

Does anyone know how I can hide the "hidden" HTML field so it wont be visible in "view source", or if there would be a better was to go about this in order to submit the username and password to the login form but keep the details hidden from the user?

Thanks.
0
Comment
Question by:bcrawley01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 3
  • +4
24 Comments
 
LVL 12

Expert Comment

by:techExtreme
ID: 26277254
yes, you need to encrypt the values and then put it in the hidden field.
0
 
LVL 2

Expert Comment

by:kostantinos1995
ID: 26277628
The right thing to do is to have the passwords in your database encrypted and the ones you pass at the forms. This means that no one (including you) can know the real password as you match the encrypted passwords.
The one you pass in your form is encrypted like this (ex. DDfg97jduh#%%dd95) and the one in the database id this (ex. DDfg97jduh#%%dd95)
0
 

Author Comment

by:bcrawley01
ID: 26279259
I wont be able to encrypt the password and put it in the hidden field as we do not have access to decrypt the password once submitted to the external web app as it is SAAS based. I need a way to hide the password or another method to pass the password to the external web apps login form from my end.
0
Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

 
LVL 3

Expert Comment

by:burtonrhodes
ID: 26279462
You could "hide" it in a cookie.  However cookies are readable as well - just not as obviuos to the lay user.  The only downside of that is that is stays on the computer much longer than if it were just in a html hidden field.  

The only other method you may look into is javascript/ajax.  You could use javascript in a way that stores the plain text password in javascript variable (memory).  You could "inject" this field into the form when your users submit the form.  This is still "findable" by a javascript debugger though.

Unoftunately, if you don't encrypt it in some fashion as described above, it will be in plain text somehwere on the user's system.
0
 
LVL 10

Expert Comment

by:codingbeaver
ID: 26279555
Hidden field just hides information from the web browser, not from the "view source". You can use SSL to post the data to the external site. Although, you still can see the source in your own browser, but no one else can see the data even the data is somehow intercepted by bad guys.
0
 
LVL 29

Expert Comment

by:rdivilbiss
ID: 26280263
You'll need more than SSL to do this securely, but that is a good place to start.

If the external app allows this, then it is likely vulnerable to CSRF.

Any routers between your login form and this application?  Are those controlled by you or the external vendor, or third parties?
0
 
LVL 12

Expert Comment

by:techExtreme
ID: 26280384
Putting it in simple way: without encryption the way you want it to work, is not possible.
0
 

Author Comment

by:bcrawley01
ID: 26280748
OK, would this work then:

Encrypt the password server side within the ASP.NET page, then decrypt the password client side using JavaScript just before it is submitted to the external app login page?
0
 
LVL 29

Accepted Solution

by:
rdivilbiss earned 1500 total points
ID: 26280771
No
0
 
LVL 2

Expert Comment

by:halceyon
ID: 26281510
You can look at using Session state to save the username/password.  It's not the most secure, but it will definitely remove it as easily viewable by right clicking and selecting "View Source"
0
 
LVL 10

Expert Comment

by:codingbeaver
ID: 26283452
@halceyon,
You cannot send a Seesion variable from one site to another.
0
 
LVL 2

Expert Comment

by:halceyon
ID: 26283467
ahhhh, i thought it was all in the same site....then encryption will be your only friend....
0
 
LVL 12

Expert Comment

by:techExtreme
ID: 26283842
that is the only solution in your case
0
 

Author Comment

by:bcrawley01
ID: 26288501
So then how would I do this?

I retrieve the password from the database add it to the hidden field named "Password" which is the same as the password field in the external web app form and then submit this to the external form URL.

How can I add the password to session state and then retrieve it to submit to the external web app login form?
0
 
LVL 10

Expert Comment

by:codingbeaver
ID: 26288543
You cannot share Session with another web site.
0
 

Author Comment

by:bcrawley01
ID: 26288587
Its not going to share with another site, its all within the site I am developing.

This is how it works:

My site - retrieves user name and password from database, adds this to the "username" and "password" fields of the external web app login form and then submits this to log into the external web app.

Everything is done on my end. I just need a way to "encyrpt" the password so if people "view source" my page they wont see the password in clear text as they currently do.
0
 
LVL 10

Expert Comment

by:codingbeaver
ID: 26288591
Are you trying to use your site to authenticate user then redirect the user to the external web site so they don't have to type in username and password again?
0
 

Author Comment

by:bcrawley01
ID: 26288617
The external website has a logon page with "username", "password".

My siite will autmoate the login process so they will not need to enter their username and password, my site will populate that and submit it to the external site, logging them in.
0
 
LVL 10

Expert Comment

by:codingbeaver
ID: 26288621
I would not suggest you to include the plain text of the password in your code. Since the password is synchronized between the two site, what you can do is this:
1. After you authenticate the user, generate a password hash with an one-way hash algorithm for the user.
2. Add the hashed password to post to the external web site. The external web site gets the username and retrieve the password, then use the same hash function to generate a hashed password.
3. Compare the two hashed passwords.

This way, no one can see the plain text of the password.
0
 
LVL 10

Expert Comment

by:codingbeaver
ID: 26288663
We are posting at the same time.

It needs cooperation between your site and the external web site to make it as secure as possible, and also as transparent as possible for the end user. So you will need to ask the external web site what modification they can make, have they had the same issue before, if yes, how did they handle it, etc.
0
 

Author Comment

by:bcrawley01
ID: 26288667
Only problem with that is we have no access to modify the external site. It is a vendors site and will not allow it to be modified.
0
 
LVL 29

Expert Comment

by:rdivilbiss
ID: 26289174
If the vendors site is not modified there is no possible way to do this securely, period.

The only option is to have your users go directly to the vendors site and login there.  Based on what you said about their login form, I don't think the vendor is secure anyway, so your users should be using different credentials at that site so they don't expose their internal company userid and password with a vendor you may not be able to rely on to protect you user's credentials.

http://en.wikipedia.org/wiki/WS-Security is a correct standard (collection of methods) for securely communicating with outside vendors.
0
 
LVL 10

Expert Comment

by:codingbeaver
ID: 26290189
Find another vendor who is willing to cooperate with your company, I am serious.

As rdivilbiss said, you may just let your user go to the vendor's site to login. They have their username and password anyway, right? What's more, if I were you, I would not feel comfortable to have all my customers' credentials stored in a vendor's database, too risky.
0
 

Author Closing Comment

by:bcrawley01
ID: 31675159
Answers given but no solution found
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, the web development industry is booming, and many people consider it to be their vocation. The question you may be asking yourself is – how do I become a web developer?
Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question