Security (passing through login variables)

0 投票
最新提问 用户: (120 分)

I have a security question. In a lot of our programs, when someone logs in, the login would be checked against our LDAP and their account information would be sent back via an HTML5 FORM tag:

<form id="form" name="form" action="<% = Request.Form("ReturnURL") %>">

%....some VB code ... %>


` ...which is all fine and well, except when you choose to "Inspect Element..." then the form data can be clearly read in clear text. Possibly wide open for session hijacking and Lord knows what else.

Basic question: whats the best way to pass LDAP information without compromising your users?

Specifically, whats the best way to do this in CSharp?

发表于 用户: (120 分)
"Passing" LDAP information is ok from a security perspective. Storing it in the dom of your page, though, is not a good idea. Usually a login library, upon successful login, will issue a token of some kind that your page then stores. This token is opaque to the end user and is safe to have on the client side. Your page just deals with the token, not the actual credentials.
发表于 用户: (120 分)
So storing info in a DOM is not advisable. Then what is a preferred method?
发表于 用户: (120 分)
What do you mean by "account information"? Stuff like a) first name and last name or stuff like b) username and password? Also what is your web platform? ASP.NET Webforms? If so, you can use Session to hold that stuff. Most platforms will have some form of session available to you.
发表于 用户: (120 分)
Password was thankfully weeded out, but essentially there is too much in the form that is visible for me to be comfortable with (username, all database access rights and permissions, etc). We are using ASP.NET w/ SQL 2016.
发表于 用户: (120 分)
I would really look into using Session State. Basically once a user logs in successfully store everything you will need into the Session State. Let the platform take care of encrypting it for you!

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。