How to hide the password and username not to be revealed in post data in asp.net?

Hi, from our login page, when user logins, the post data, reveals the user name and password as follows:

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=....&ctl00%24MainBody%24Login1%24UserName=xxxx&ctl00%24MainBody%24Login1%24Password=yyyyy&ctl00%24MainBody%24Login1%24LoginButton=Log+In

Open in new window


Could someone throw some light on how to fix this. This security issue we wanted to fix in our site.  Thanks.
LVL 9
Valliappan ANSenior Tech ConsultantAsked:
Who is Participating?
 
JesNoFearConnect With a Mentor Enterprise Systems Administration Team MemberCommented:
in doing the developer view like you described. If you look in the body of the transaction, you do see the username and password, but this is required. same as using GET.
The reason you see this is because between the web browser session to the server, the username and password need to be passed. otherwise the server would never get what is entered in the browser.

but as far as the URL, it should not be part of URL, which is what i though this topic was originally about, using the POST method.

the only way to make sure it stays secure is to encrypt it with an SSL Cert, which you said you have already done.

aside from that, you could in the code, encrypt the fields and decrypt them on the server side.
something like http://www.saipanyam.net/2010/03/encrypt-query-strings.html

but all you are doing is double encryption, it just depends on how paranoid you are over the login sessions.

one way to safeguard your data is to be sure your SSL Cert has a high level of encryption, 2048 is the bare minimum currently.

Hope this answers your question.

another reference: http://stackoverflow.com/questions/202011/encrypt-and-decrypt-a-string
0
 
JesNoFearEnterprise Systems Administration Team MemberCommented:
Use Session("UserName") and Session("Password"), or make them less descript.
Session("xxxx") is a user session based variable.

you may need to change your posting method from Post to Get.

also, if you did not want to use the session var's, by changing it to GET, you can call the variables that were filled in the form.

an example of using get can be found here, http://www.w3schools.com/asp/asp_inputforms.asp
0
 
Valliappan ANSenior Tech ConsultantAuthor Commented:
Making it to Get, will make it visible in querystring. We do not want it either way to be visible to avoid any man-in-the-middle-attack.

If i understood what you suggest, How do we set session variable from login textbox, from client side?

Note: Also the site is already https, so the communication should be secure i think.  But in browser when we view postdata, it reveals the password and user name.

thanks.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
JesNoFearEnterprise Systems Administration Team MemberCommented:
what is your button click code for login?
0
 
Valliappan ANSenior Tech ConsultantAuthor Commented:
Sorry, we use login control.

And the OnAuthenticate code goes like this:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
        {
            e.Authenticated = ValidateUser(Login1.UserName, Login1.Password);
        }

private bool ValidateUser(string sUser, string sPwd)
        {
              //validate here and return value.
        }

Open in new window

0
 
JesNoFearEnterprise Systems Administration Team MemberCommented:
cool, so it looks like your are using C, and not vb.net, but that's ok

so right before your "Return True;" in the ValidateUser, add in a
Session["UserName"] = sUser; 
Session["Password"] = sPwd; 

Open in new window


https://msdn.microsoft.com/en-us/library/ms178581.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1
0
 
Valliappan ANSenior Tech ConsultantAuthor Commented:
No, we do not want the username or password, but when authenticating itself (before ValidateUser here), in the POST data,

for example in Internet Explorer - F12 - 'Developer Tools',
1) click on Network tab
2) click green arrow - On

Login to the page with credentials.

3) click Details to see the POST data.  The user is able to see the username and password in POST data. This reported SQL Injection vulnerability.

Thanks.
0
 
JesNoFearEnterprise Systems Administration Team MemberCommented:
what is your login button look like?
something like this?
<asp:Button ID="btnLogin" Runat="server" Text="Login" OnClick="Login_Click"></asp:Button>

Open in new window


Your login page should be something like this,
https://msdn.microsoft.com/en-us/library/xdt4thhy.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-6
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.