Valliappan AN
asked on
How to hide the password and username not to be revealed in post data in asp.net?
Hi, from our login page, when user logins, the post data, reveals the user name and password as follows:
Could someone throw some light on how to fix this. This security issue we wanted to fix in our site. Thanks.
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=....&ctl00%24MainBody%24Login1%24UserName=xxxx&ctl00%24MainBody%24Login1%24Password=yyyyy&ctl00%24MainBody%24Login1%24LoginButton=Log+In
Could someone throw some light on how to fix this. This security issue we wanted to fix in our site. Thanks.
ASKER
Making it to Get, will make it visible in querystring. We do not want it either way to be visible to avoid any man-in-the-middle-attack.
If i understood what you suggest, How do we set session variable from login textbox, from client side?
Note: Also the site is already https, so the communication should be secure i think. But in browser when we view postdata, it reveals the password and user name.
thanks.
If i understood what you suggest, How do we set session variable from login textbox, from client side?
Note: Also the site is already https, so the communication should be secure i think. But in browser when we view postdata, it reveals the password and user name.
thanks.
what is your button click code for login?
ASKER
Sorry, we use login control.
And the OnAuthenticate code goes like this:
And the OnAuthenticate code goes like this:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
e.Authenticated = ValidateUser(Login1.UserName, Login1.Password);
}
private bool ValidateUser(string sUser, string sPwd)
{
//validate here and return value.
}
cool, so it looks like your are using C, and not vb.net, but that's ok
so right before your "Return True;" in the ValidateUser, add in a
https://msdn.microsoft.com /en-us/lib rary/ms178 581.aspx?c s-save-lan g=1&cs-lan g=csharp#c ode-snippe t-1
so right before your "Return True;" in the ValidateUser, add in a
Session["UserName"] = sUser;
Session["Password"] = sPwd;
https://msdn.microsoft.com
ASKER
No, we do not want the username or password, but when authenticating itself (before ValidateUser here), in the POST data,
for example in Internet Explorer - F12 - 'Developer Tools',
1) click on Network tab
2) click green arrow - On
Login to the page with credentials.
3) click Details to see the POST data. The user is able to see the username and password in POST data. This reported SQL Injection vulnerability.
Thanks.
for example in Internet Explorer - F12 - 'Developer Tools',
1) click on Network tab
2) click green arrow - On
Login to the page with credentials.
3) click Details to see the POST data. The user is able to see the username and password in POST data. This reported SQL Injection vulnerability.
Thanks.
what is your login button look like?
something like this?
Your login page should be something like this,
https://msdn.microsoft.com /en-us/lib rary/xdt4t hhy.aspx?c s-save-lan g=1&cs-lan g=csharp#c ode-snippe t-6
something like this?
<asp:Button ID="btnLogin" Runat="server" Text="Login" OnClick="Login_Click"></asp:Button>
Your login page should be something like this,
https://msdn.microsoft.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Session("xxxx") is a user session based variable.
you may need to change your posting method from Post to Get.
also, if you did not want to use the session var's, by changing it to GET, you can call the variables that were filled in the form.
an example of using get can be found here, http://www.w3schools.com/a