Security (passing through login variables)

Question

I have a security question. In a lot of our programs, when someone logs in, the login would be checked against our LDAP and their account information would be sent back via an HTML5 FORM tag:

<form id="form" name="form" action="<% = Request.Form("ReturnURL") %>">

%....some VB code ... %>

</form>

` ...which is all fine and well, except when you choose to "Inspect Element..." then the form data can be clearly read in clear text. Possibly wide open for session hijacking and Lord knows what else.

Basic question: whats the best way to pass LDAP information without compromising your users?

Specifically, whats the best way to do this in CSharp?

Comments

"Passing" LDAP information is ok from a security perspective. Storing it in the dom of your page, though, is not a good idea. Usually a login library, upon successful login, will issue a token of some kind that your page then stores. This token is opaque to the end user and is safe to have on the client side. Your page just deals with the token, not the actual credentials.

---

So storing info in a DOM is not advisable. Then what is a preferred method?

---

What do you mean by "account information"? Stuff like a) first name and last name or stuff like b) username and password? Also what is your web platform? ASP.NET Webforms? If so, you can use Session to hold that stuff. Most platforms will have some form of session available to you.

---

Password was thankfully weeded out, but essentially there is too much in the form that is visible for me to be comfortable with (username, all database access rights and permissions, etc). We are using ASP.NET w/ SQL 2016.

---

I would really look into using Session State. Basically once a user logs in successfully store everything you will need into the Session State. msdn.microsoft.com/en-us/library/ms178581.aspx Let the platform take care of encrypting it for you!