Reputation: 93
passing username and password to the server in a secure way
In my web application there is a sign up page with five textbox (username, password,confirm password,email and confirm email) , and a button named register . As i know a wise suggestion is to hash the password before save in database , but hashing the password is done in server side . The password is sending to server (from client side) without any change.
My first question : is there any possibility to access this unchanged password with hackers? Second question : if the answer is yes , is there any way to send password to server without this risk?
Upvotes: 0
Views: 139
Answers (2)
Reputation: 942
Yes, you can. Just use HTTPS. Microsoft page
In Startup.cs, use UseHttpsRedirection:
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseMvc();
}
The following code calls AddHttpsRedirection to configure middleware options:
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddHsts(options =>
{
options.Preload = true;
options.IncludeSubDomains = true;
options.MaxAge = TimeSpan.FromDays(60);
options.ExcludedHosts.Add("example.com");
options.ExcludedHosts.Add("www.example.com");
});
services.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
options.HttpsPort = 5001;
});
}
Upvotes: 1
Reputation: 415600
This is what https/tls (formerly ssl) is for.
You need to ensure that the login page can only be accessed via https. Any http-only requests should be rejected or forwarded to the https page. Additionally, once you have a issued a login token, whatever form that takes, all pages that use that token should only be allowed to use https.
You can write code for this, but generally I find it easier to handle this at the web server (IIS) level.
Upvotes: 1
Related Questions
- How to pass text box values like username and password securely from one page to another in ASP.net C#
- How to protect password to display in HttpRequest in asp.Net
- How to create a secure login to protect the password information
- Passing password in session
- How can I secure log-in without SSL?
- Pass username/password from Windows Forms application to an ASP.NET web application
- Need advises how to make authentication in asp.net
- ASP.NET username/password security
- Storing Username/Password During Processing
- How do I securly pass user credentials from a server to a client?