CODEWITHSUNDEEP
c#asp.net-mvcpassword-protection
PvtVandals
PvtVandals

Reputation: 123

MVC password best practices

I have a login form with a razor field for password. My web site is over https.

Everything was working fine until someone added this code under OnException(ExceptionContext filterContext) in the base controller :

        string[] keys = filterContext.HttpContext.Request.Form.AllKeys;
        var valueMap = new List<KeyValuePair<string, string>>();
        foreach (var key in keys)
        {
            valueMap.Add(new KeyValuePair<string, string>(key, filterContext.HttpContext.Request.Form[key]));
        }

        if (valueMap.Any())
        {
            sb.AppendLine("POST Parameters : ");
            foreach (var keyValuePair in valueMap)
            {
                sb.AppendLine(string.Format("   - {0} : {1}", keyValuePair.Key, keyValuePair.Value));
            }
        }

And send an email to the support with the content of the string builder. The password was include in the mail.

I don't want this situation to happen again.

What is the best solution? Is there something built in MVC4 to handle this case? Do I have to use JS Password encryption on the form?

Upvotes: 0

Views: 317

Answers (1)

iamkrillin
iamkrillin

Reputation: 6876

No, dont add encryption on the form, doing that would require you to decrypt the data before you can use, and that still doesnt really address the problem you are concerned with. I'd suggest that you modify that exception handler to skip password fields. If you site accepts credit cards, you might want to give those fields similar treatment as well.

Upvotes: 1

Related Questions