Reputation: 148664
SecureString and IIS?
user has an
ASPXpage.it has
textoxinput ( for password).the user fill his password.
the page is submitted to the IIS.
it first goes to the iis.
by this stage the password is in memory at plain text.
now Asp.net put its password in Secure String.
after doing some calculations , the page is being sent to the client.
from the IIS POV :
he still actually see the password as plain text...isnt it ?
Upvotes: 0
Views: 326
Answers (2)
Reputation:
Reading a SecureString is more complicated. There is no simple ToString method, which is also intended to keep the data secure. To read the data C# developers must access the data in memory directly. Luckily the .NET Framework makes it fairly simple.Use appropriate members of the System.Runtime.InteropServices.Marshal class, such as the SecureStringToBSTR method, to manipulate the value of a SecureString object.
IntPtr stringPointer = Marshal.SecureStringToBSTR(objSecureString);
string normalString = Marshal.PtrToStringBSTR(stringPointer);
Upvotes: 1
Reputation: 25742
As per your story, it makes little sense to store the password in SecureString. It was already present in the memory as a normal string once so storing it back in SecureString is no that useful. Plus, when the form goes back, everything will still be sent back as plain text.
In these situations, it is best to secure the server-client communication (i.e. with SSL), rather than trying to secure the system from attackers who would gain access to the computer, analyze the memory, and extract passwords(!).
Upvotes: 3
Related Questions
- Convert String to SecureString
- C# SecureString Question
- Using SecureString
- Is SecureString secure?
- Is there any benefit to using SecureString in ASP.NET?
- How do I write the contents of a SecureString to the Response stream?
- Using System.Security.SecureString in .NET Remoting App?
- How do I use SecureString securely?
- Safe use of SecureString for login form
- SecureString Solution is fine but has inner contradiction?