How to encrypt username/password for session

Question

I am making a call to a 3rd party service via https (using HttpWebRequest and sending a username, password in order to return a token which is then needed to make future requests for data). The service would only be required to list items on a public ASPNet website.

There will be no database involved so session or cookies would be storing the token.

To get the token I send a POST request which includes the username/password but I can see these details (username/password) in Fiddler (headers text tab I think but can confirm if anyone asks) - personally I thought I shouldn't? When I make a GET request to get the items I send the token and all works.

So am I supposed to encrypt the username/password somehow before making retrieving the token? If yes how would I do that?

I just feel that anyone could check the POST request and see what's going on. I could be wrong but happy to test any theories.

Edit 1

Here is the code i am sending the POST request. Please note the username and password along with the URL which is https

    private string UsernamePassword()
    {
        string un = new JavaScriptSerializer().Serialize(new
        {
            User = "abc",
            Password = "123"
        });

        return un;
    }

        HttpWebRequest wr = (HttpWebRequest)WebRequest.Create("https://site.data.com");

        wr.Headers.Add(HttpRequestHeader.AcceptEncoding, "gzip, deflate, br");
        wr.Headers.Add(HttpRequestHeader.AcceptLanguage, "en-GB,en-US;q=0.9,en;q=0.8");
        wr.Headers.Add("Sec-Fetch-Site", "same-origin");
        wr.Headers.Add("Sec-Fetch-Mode", "cors");

        wr.Accept = "application/json";
        wr.ContentType = "application/json";

        byte[] data = null;

        wr.Method = "POST";
        data = Encoding.UTF8.GetBytes(UsernamePassword());
        wr.ContentLength = data.Length;
        wr.KeepAlive = true;          
        wr.AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate;

        try
        {
            using (Stream stream = wr.GetRequestStream())
            {
                stream.Write(data, 0, data.Length);
                stream.Flush();
                stream.Close();
            }

            using (HttpWebResponse httpResponse = (HttpWebResponse)wr.GetResponse())
            {
                var encoding = Encoding.GetEncoding(httpResponse.CharacterSet);

try to understand that where you need to use GET and where you have to use POST. do that you will have answer to this question. — Ajay Kumar Oad, Nov 27 '19 at 08:51
@germi so do you mean I just add some code to transfer the username/password over TLS? — Computer, Nov 27 '19 at 08:54
@ajay Kumar - please re-read the question, I have clearly stated where I'm doing a post/get request — Computer, Nov 27 '19 at 08:55
@Computer HTTPS should be the default by now - if you're transmitting credentials in the clear over HTTP you're doing it wrong. TLS takes care of encrypting the data - that's what it's there for, so one should use it. — germi, Nov 27 '19 at 08:58

score 3 · Answer 1 · answered Nov 27 '19 at 08:57

3

@germi is right. That's exactly what TLS/Https is for. The fact that you can see the content of your https request doesn't mean anyone can.

As long as your endpoint is using https (and not http), the exchange will happen over an encrypted channel. If you want to verify, install Wireshark and see for yourself.

answered Nov 27 '19 at 08:57

devb

269
1
8

Thanks! I've amended my original post to contain the code im sending. It does have the URL set as https but is there anything else i need to add? – Computer Nov 27 '19 at 10:02
@Computer don't store the username password in the code. Though you're not accessing a database, it's the same problem as in this post: https://stackoverflow.com/questions/11685206/how-do-i-safely-store-database-login-and-password-in-a-c-sharp-application Have look at the answer there for further information on how to deal with that. – devb Nov 27 '19 at 10:28
I will look into that article shortly. The password is coming from the Web.config (but not encrypted) so i use ConfigurationManager to get the value and pass it into UsernamePassword code. – Computer Nov 27 '19 at 11:17
@Computer *don't* do that. That functionality is rarely used and seldom in production. The doc page you found this explains this is only for development purposes – Panagiotis Kanavos Nov 27 '19 at 11:23
@PanagiotisKanavos are you suggesting not to store it in the config file unencrypted? if so i am currently looking at https://stackoverflow.com/questions/6291322/how-to-encrypt-username-and-password-in-web-config-in-c-sharp-2-0 to encrypt which was led from the article posted above – Computer Nov 27 '19 at 11:27
Don't copy code without understanding what it's doing. Don't store accounts in web.config *at all*. You'll *have* to change account passwords at some point. Having to redeploy or even edit in production and recycle your site isn't a great idea. Read [Copying code from Stack Overflow? You might be spreading security vulnerabilities](https://stackoverflow.blog/2019/11/26/copying-code-from-stack-overflow-you-might-be-spreading-security-vulnerabilities/) – Panagiotis Kanavos Nov 27 '19 at 11:31
And don't tread SO *answers* as if they were tutorials, documentation or even blog posts. They aren't – Panagiotis Kanavos Nov 27 '19 at 11:32
@PanagiotisKanavos The code i posted was shortened for ease of readability. I found this article which allows me to encrypt my config https://goenning.net/2014/03/09/how-to-safely-store-configuration-settings-in-webconfig/ – Computer Nov 27 '19 at 11:46

How to encrypt username/password for session

1 Answers1