Reputation: 3121
Send sensitive data from my website to my C# application
I have a run of the mill externally hosted website (linux platofmr) with mysql, php technologies installed. I require my C# application to collect data from the website.
I have a MYSQL database on my website and I want to send my username and password in order to access some sensitive data (using a PHP script)
My current design looks something like this:
C# application POSTs to a login.php script on the website.
e.g mywebsite.com/login.php?username=admin?password=MD5HashedPassword
The script generates a blank page with "OK" if the username and password matches that in the database.
Now I think that's probably secure for just logging in, but if I want the login script to generate XML data which would contain sensitive information, I don't believe it's a secure way of doing it. Am I correct in thinking this?
So what direction should I go. Should I have some kind of PHP Session between my application and the website. Is that a straightforward thing to do? Should I drop the use of PHP all together and use a different technology?
Any opinions and suggestions are greatly welcomed.
Many Thanks
Upvotes: 2
Views: 1372
Answers (2)
Reputation: 6515
SSL is the standard way of protecting data on the wire. If you have a cert just load it into your web server (process varies between servers) and make sure your program specifies https as the protocol.
You authentication system looks... non-standard. You typically can't use your platform's forms authentication if you are going to be using programmatic http requests. But rather than roll your own, you should prefer basic or digest authentication. In that case, the credentials will be passed in a header rather than explicitly as a part of a query string. Since you are using SSL, basic authentication is safe.
Upvotes: -1
Reputation: 11953
This should be just fine, provided the following conditions about your transaction are true:
The POST request to the PHP page happens from the C# server to the PHP server, and the user's browser does not perform the POST. If the user's browser performs the POST to the PHP server then an attacker can simply intercept the request with a proxy like Burp Suite and extract the hashed password, then make additional requests of a malicious nature.
The username/password is passed as POST parameters and not GET parameters in a query string. You used this example:
e.g mywebsite.com/login.php?username=admin?password=MD5HashedPasswordwhich looks to me like a GET request using query string. This is not safe.The POST request only goes over HTTPS/SSL and not regular HTTP. This will ensure that the communication is encrypted from TCP downward.
Upvotes: 3
Related Questions
- Is it secure to send username and password in plaintext from C# to Wordpress site over https
- Secure authentication and requests with C# through a PHP REST api
- Https POST from Php to C#
- Is SSL the only way to go for the exchange of information from a remote to a webserver?
- Secure Communication Between .Net Application and Website
- How to send sensitive data to an Asp.net Web API server
- how to Post encrypted data from http page to https page?
- C# app should send some data to php website but should respect auth policies
- Easy HTTPS to PHP script
- Is it possible to send data from a C# application to a website/webserver?