Reputation: 19465
security when calling a webservice or aspx page with password
I'm wondering if I have a web service like this:
Login(username, password)
or a page like
login.aspx?u=username&p=pass
If they were called from a desktop app, which would be more secure. From what i've read a sniffer can read the request and figure out the url. I AM hashing the passwords before putting them in the request, but if someone sees the request url with the params/query string then they can make the request with the same values!?
How easy/hard is it for a sniffer to figure out the hashed password? Should I encrypt the password and username before putting it into the url and web service? Any other options I have?
I'm asking because the data is NOT all that sensitive but basic security should exist at a minimal performance cost
NOTE: SSL is NOT an option
Upvotes: 1
Views: 302
Answers (3)
Reputation: 1477
If you're working with a bank, you may be obliged to use SSL. Check your local legislation - I think this will also determine what is sensitive data.
Upvotes: 0
Reputation: 32377
Use SSL to create a unique session token via a login service. Use that session token over standard HTTP for the rest.
Your login session will need to take the username/password as a POST otherwise the values will be visible in the URL request to the server and possible snooping on the network.
Upvotes: 1
Reputation: 1039080
Just use HTTPS to encrypt the channel. That way you don't have to worry about sniffers.
Upvotes: 1
Related Questions
- .NET web service secure
- How to authenticate user while calling a webservice (in ASP.Net)?
- Authentication using Webservice and Javascript
- Asp.net forms authenticated webservice
- asp.net webservices authentication/authorization
- ASP.NET Forms Authentication and Calling Web Service
- .net webservice, jquery ajax, and webservice password question
- web service security in asp.net
- UserName Authentication web services
- How to effectively authenticate the user calling a webservice?