Forms Authentication,Login&Password is clear text through the netw

[frank]

Hi,

I have a question about asp.net Forms Authentication:
When User Login from client to web server, the UserName&Password is clear
text or not if we do not use SSL.


Thanks!

 

[frank]

I guess clear text is used, I am just hope I can prove that from some where.

Does anybody know some resource for the explanation?

Thanks!

 

[bruce barker]

unless you use ssl, its clear text (just a form field).

-- bruce (sqlwork.com)

 

[frank]

I appreciate for reply.

Could you please provide some useful resources for better understanding?


Thanks!

 

[frank]

between browser to webserver, if the UserName&Password is clear text, what
is the purpose of web.config?

<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".COOKIEDEMO"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/">
<credentials passwordFormat="SHA1" />
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>

 

[bruce barker]

forms authenication uses a cookie or url munging to store the user name in
the browser (else you'd have to answer every page). this is encrypted. only
on the login page is the username/password in clear text.

-- bruce (sqlwork.com)