?
Solved

How to hide the password and username not to be revealed in post data in asp.net?

Posted on 2016-07-20
8
Medium Priority
?
58 Views
Last Modified: 2016-08-04
Hi, from our login page, when user logins, the post data, reveals the user name and password as follows:

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=....&ctl00%24MainBody%24Login1%24UserName=xxxx&ctl00%24MainBody%24Login1%24Password=yyyyy&ctl00%24MainBody%24Login1%24LoginButton=Log+In

Open in new window


Could someone throw some light on how to fix this. This security issue we wanted to fix in our site.  Thanks.
0
Comment
Question by:Valliappan AN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721120
Use Session("UserName") and Session("Password"), or make them less descript.
Session("xxxx") is a user session based variable.

you may need to change your posting method from Post to Get.

also, if you did not want to use the session var's, by changing it to GET, you can call the variables that were filled in the form.

an example of using get can be found here, http://www.w3schools.com/asp/asp_inputforms.asp
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721131
Making it to Get, will make it visible in querystring. We do not want it either way to be visible to avoid any man-in-the-middle-attack.

If i understood what you suggest, How do we set session variable from login textbox, from client side?

Note: Also the site is already https, so the communication should be secure i think.  But in browser when we view postdata, it reveals the password and user name.

thanks.
0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721140
what is your button click code for login?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721167
Sorry, we use login control.

And the OnAuthenticate code goes like this:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
        {
            e.Authenticated = ValidateUser(Login1.UserName, Login1.Password);
        }

private bool ValidateUser(string sUser, string sPwd)
        {
              //validate here and return value.
        }

Open in new window

0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721458
cool, so it looks like your are using C, and not vb.net, but that's ok

so right before your "Return True;" in the ValidateUser, add in a
Session["UserName"] = sUser; 
Session["Password"] = sPwd; 

Open in new window


https://msdn.microsoft.com/en-us/library/ms178581.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721475
No, we do not want the username or password, but when authenticating itself (before ValidateUser here), in the POST data,

for example in Internet Explorer - F12 - 'Developer Tools',
1) click on Network tab
2) click green arrow - On

Login to the page with credentials.

3) click Details to see the POST data.  The user is able to see the username and password in POST data. This reported SQL Injection vulnerability.

Thanks.
0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721496
what is your login button look like?
something like this?
<asp:Button ID="btnLogin" Runat="server" Text="Login" OnClick="Login_Click"></asp:Button>

Open in new window


Your login page should be something like this,
https://msdn.microsoft.com/en-us/library/xdt4thhy.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-6
0
 
LVL 2

Accepted Solution

by:
JesNoFear earned 2000 total points
ID: 41721957
in doing the developer view like you described. If you look in the body of the transaction, you do see the username and password, but this is required. same as using GET.
The reason you see this is because between the web browser session to the server, the username and password need to be passed. otherwise the server would never get what is entered in the browser.

but as far as the URL, it should not be part of URL, which is what i though this topic was originally about, using the POST method.

the only way to make sure it stays secure is to encrypt it with an SSL Cert, which you said you have already done.

aside from that, you could in the code, encrypt the fields and decrypt them on the server side.
something like http://www.saipanyam.net/2010/03/encrypt-query-strings.html

but all you are doing is double encryption, it just depends on how paranoid you are over the login sessions.

one way to safeguard your data is to be sure your SSL Cert has a high level of encryption, 2048 is the bare minimum currently.

Hope this answers your question.

another reference: http://stackoverflow.com/questions/202011/encrypt-and-decrypt-a-string
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s quite interesting for me as I worked with Excel using vb.net for some time. Here are some topics which I know want to share with others whom this might help. First of all if you are working with Excel then you need to Download the Following …
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses
Course of the Month11 days, 14 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question