ASP.net Forms Authentication - Protection not working for me

2
votes

in my web.config file i've got the following:

<authentication mode="Forms">
   <forms name=".ASPXAUTH" protection="All" loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>

But when i log in and watch the traffic with fiddler, i still can see the password in plain text. I have no idea whats wrong.

Regards,

matt

2
c#asp.netforms-authenticationprotection
Is it that you see the password in the cookie in plain-text, or you see the password in plain text just when logging in?Scott Mitchell

2 Answers

2
votes

I only know of two solutions to this:

  1. Use https. Best solution, moste secure.
  2. Use a javascript library (sha1) to hash the password before sending it (and CLEAR the original password field!). Also use a randomly generated salt that is different for every login, store the salt on server and in an hidden field, so you can check the salt too (user may not change it).
1
votes

Forms authentication only addresses access to URL endpoints within your application, but it does not address how the data is being transferred to and from the clients - what you are seeing through Fiddler is the normal HTTP traffic.

Usually at least the login page of all major sites is done via HTTPS, so you cannot spy on the plain text HTTP.