Form Authentication, Login&Password are clear text?

F

frank

Hi,

I have some issues with protecting UserName&Password.

When UserName&Password transit through the Network from Browser to IIS, they
are in clear text, Web.config can not cover that at the very beginning?

So how to protect that when the user click login Button at the login page?

Asp.net App can do the protection from Web.config after the user ticket was
created:

----------------------
<forms name=".COOKIEDEMO"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/">
</forms>
----------------------
 
J

Joe Kaplan

If you are really concerned about this, you should be using SSL with forms
authentication. It will protect the plaintext credentials on the network
during the form post to the server.

The important thing to remember with forms auth is that the forms auth
cookie is usually interchangable with the login, so if someone steals that,
it is just as good as having the username and password for most operations.
Thus, if you don't encrypt all the network traffic after the forms auth
login, you are just as vulnerable to having the cookie stolen by snooping as
you are with having the username and password stolen during the logon form
POST.

Joe K.
 
F

frank

If the UserName&Password was stolen, they can do anything with the
credential. I can not image what will happen, and why do most website not
use SSL? the balance between Performance and Security?
 
J

Joe Kaplan

Most websites that are serious about security do use SSL for secure
operations. :) In some cases, the perf hit is a major problem and the
tradeoff against SSL is made, especially if the security of the transaction
is not considered to be that critical. A banking site or site that collects
your credit card probably has higher risk factors than a web forum (although
that depends on what is being discussed :)).

In many cases, for small websites, SSL might seem to expensive or too hard
to deal with from a hosting perspective.

SSL has gotten pretty inexpensive though, so the cost is much less of a
barrier than it used to be.

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to Create a random password generator in a separate window 4
Forms Authentication,Login&Password is clear text through the netw 5
Forms authentication - clean cookie when close browser 1
Forms Authentication for single directory 1
Form authentication & multiple login pages 0
Custom Authentication without Server 7
What am I doing wrong with authentication? 3
2.0 Login Control Not Redirecting 1

Members online

No members online now.
Total: 68 (members: 0, guests: 68)
Robots: 466

Forum statistics

Threads
473,995
Messages
2,570,226
Members
46,815
Latest member
treekmostly22

Latest Threads

Top