2

I'm looking at writing a basic login page for an ASP.NET website, and all the tutorials I've seen basically explain the following steps:
1. Create a form with username and password text boxes, and a login button.
2. Hook up the login button to an event that will call a validate function, passing in the data from these 2 textboxes.
3. Compare the data in these textboxes in some secure fashion to login info in a database, or elsewhere.
4. Return to the client some results, or redirect based on #3.

All the security information I can find refers to things that happen in #3. My concern is the transition from #1 to #2. Won't the data be sent over an http post in clear text? Couldn't someone just run a tcp trace or wireshark (ethereal), inspect the packets, and see the username and password clear as day? Must I buy an SSL cert to prevent this? Is there something in .net already that will pass this info hashed in some way, if not encrypted?

Thanks, rj

Ryan Johnson
  • 88
  • 6
  • Try SSL, Install SSL certificate in your server and access your website through HTTPS. – Raghuveer Nov 12 '12 at 07:25
  • You can not encrypt something on browser* and send it encrypted (like the password). You can encrypt something on server, but can not decrypt it on browser* also. (* -> with security that a hacker can not read it). So SSL is the solution. – Aristos Nov 12 '12 at 07:32

1 Answers1

1
Must I buy an SSL cert to prevent this?

Yes, to make it secure you need to take care two things.

  1. The pages must be over ssl, so the name and password must be transmitted securely.
  2. The credential cookie must also be ONLY over ssl, and of course encrypted.

More to read about:
Can some hacker steal the cookie from a user and login with that name on a web site?
Different users get the same cookie - value in .ASPXANONYMOUS
How serious is this new ASP.NET security vulnerability and how can I workaround it?

Community
  • 1
  • 1
Aristos
  • 66,005
  • 16
  • 114
  • 150