[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How to hide the password and username not to be revealed in post data in asp.net?

Posted on 2016-07-20
8
Medium Priority
?
60 Views
Last Modified: 2016-08-04
Hi, from our login page, when user logins, the post data, reveals the user name and password as follows:

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=....&ctl00%24MainBody%24Login1%24UserName=xxxx&ctl00%24MainBody%24Login1%24Password=yyyyy&ctl00%24MainBody%24Login1%24LoginButton=Log+In

Open in new window


Could someone throw some light on how to fix this. This security issue we wanted to fix in our site.  Thanks.
0
Comment
Question by:Valliappan AN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721120
Use Session("UserName") and Session("Password"), or make them less descript.
Session("xxxx") is a user session based variable.

you may need to change your posting method from Post to Get.

also, if you did not want to use the session var's, by changing it to GET, you can call the variables that were filled in the form.

an example of using get can be found here, http://www.w3schools.com/asp/asp_inputforms.asp
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721131
Making it to Get, will make it visible in querystring. We do not want it either way to be visible to avoid any man-in-the-middle-attack.

If i understood what you suggest, How do we set session variable from login textbox, from client side?

Note: Also the site is already https, so the communication should be secure i think.  But in browser when we view postdata, it reveals the password and user name.

thanks.
0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721140
what is your button click code for login?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721167
Sorry, we use login control.

And the OnAuthenticate code goes like this:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
        {
            e.Authenticated = ValidateUser(Login1.UserName, Login1.Password);
        }

private bool ValidateUser(string sUser, string sPwd)
        {
              //validate here and return value.
        }

Open in new window

0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721458
cool, so it looks like your are using C, and not vb.net, but that's ok

so right before your "Return True;" in the ValidateUser, add in a
Session["UserName"] = sUser; 
Session["Password"] = sPwd; 

Open in new window


https://msdn.microsoft.com/en-us/library/ms178581.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721475
No, we do not want the username or password, but when authenticating itself (before ValidateUser here), in the POST data,

for example in Internet Explorer - F12 - 'Developer Tools',
1) click on Network tab
2) click green arrow - On

Login to the page with credentials.

3) click Details to see the POST data.  The user is able to see the username and password in POST data. This reported SQL Injection vulnerability.

Thanks.
0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721496
what is your login button look like?
something like this?
<asp:Button ID="btnLogin" Runat="server" Text="Login" OnClick="Login_Click"></asp:Button>

Open in new window


Your login page should be something like this,
https://msdn.microsoft.com/en-us/library/xdt4thhy.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-6
0
 
LVL 2

Accepted Solution

by:
JesNoFear earned 2000 total points
ID: 41721957
in doing the developer view like you described. If you look in the body of the transaction, you do see the username and password, but this is required. same as using GET.
The reason you see this is because between the web browser session to the server, the username and password need to be passed. otherwise the server would never get what is entered in the browser.

but as far as the URL, it should not be part of URL, which is what i though this topic was originally about, using the POST method.

the only way to make sure it stays secure is to encrypt it with an SSL Cert, which you said you have already done.

aside from that, you could in the code, encrypt the fields and decrypt them on the server side.
something like http://www.saipanyam.net/2010/03/encrypt-query-strings.html

but all you are doing is double encryption, it just depends on how paranoid you are over the login sessions.

one way to safeguard your data is to be sure your SSL Cert has a high level of encryption, 2048 is the bare minimum currently.

Hope this answers your question.

another reference: http://stackoverflow.com/questions/202011/encrypt-and-decrypt-a-string
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
The ECB site provides FX rates for major currencies since its inception in 1999 in the form of an XML feed. The files have the following format (reducted for brevity) (CODE) There are three files available HERE (http://www.ecb.europa.eu/stats/exch…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question