How secure passing user credentials like user name, password values in query string to httphandler

Hi,

 How secure passing user credentials like user name, password values in query string to httphandler

 like login.ashx?uid=xxx&pwd=yyy

 

Surendra


Surendra
If this helps mark it as answer
0
surendra_kla
10/20/2008 11:27:22 AM
asp.net.handlers-modules 2116 articles. 0 followers. Follow

2 Replies
812 Views

Similar Articles

[PageSpeed] 3

I believe it's very insecure. Anyone who is smart enough can get the credentials from the querystring directly.


Thanks,
Max
Let Me Google That For You!
0
bullpit
10/20/2008 12:15:25 PM

 Have a look at Create a querystring that is encrypted and expires at http://www.codeproject.com/KB/dotnet/EncryptionAndQueryStrings.aspx

Whilst I would not recommend any design that passed user name and password in the query string, if you are mandated to do such a design, then besides lodging your protest politely but firmly to the specifier,  you should encrypt the querystring.

 


Don't forget to click "Mark as Answer" on the post that helped you.
This credits that member, earns you a point and marks your thread as Resolved so we will all know you have been helped.
0
TATWORTH
10/21/2008 11:03:49 AM
Reply:

Similar Artilces:

Passing user credentials in query string to httphandler (ex: login.ashx)
Hi, I am in situation like:I have a handy login box in flash and i want to process the login request in .NET, So currently i am passing username and password values in querystring from flash object to login.ashx  like (login.ashx?uid=MyuserName&pwd=Mypassword), from there redirecting to success page or failure page.everything is fine, but i dontknow how secure this approch like passing user credentials in query string to httphandler.Please any one help me out in this : 1) how secure passing user credentials like user name password values in query string to httphandler.2) Is the...

password recover ? it sent me new user password, how can i get user password ? (not new user password )
hi password recovery sent me new user password, how can i get user password ?(not new user password) it also changed user password to new user password. i want that it should not change user password how can i do this ? SincerelyMark as me if my question or my answer can be helpful for you :) Refer to these two articles.http://msdn.microsoft.com/en-us/library/ms178335.aspxhttp://quickstarts.asp.net/QuickStartv20/aspnet/doc/ctrlref/login/passwordrecovery.aspx Hope this helps.  hi thank you for your reply :) i have deleted enablePasswordReset="t...

Authenticate user when changing the value in Query string included in URL(Need Security)
Hi In my Web Application, Depending on Query string value(userId) I am displaying the Details of a User. So If I change the query string value in URL which automatically displaying the results. Like In this URL ForumID=25 to 26, 27, 28.   http://forums.asp.net/AddPost.aspx?ForumID=25  I am using Form Authentication and I have tried by adding the code enableCrossAppRedirects="false" but It' s repeating Same. <authentication mode="Forms"><forms name="security" loginUrl="Login.aspx" defaultUrl="Home.asp...

Unknown User name/password after 2 users
We have just installed NW 5.1 with SP7 iso from novell.com (fresh install) we added our 5 user server license and an additional 25 user license. everything installed with no errors. we are going prroduction and found only 2 users can log (any two of 10) in. even admin is unable to login. we are using bindery mode, with window client for netware on win2k desktop we have current 3.12 servers worling with no issues. any suggestions? we have removed the licenses and put back, everything seems to be ok.. HELP Sounds like you have user license for the wrong version. -- Dave Lunn NSC Sy...

Separting the User name from the Machine name in User.Identity.Name
string userNameWithMachineName = User.Identity.Name; string userNameWithoutMachineName = System.IO.Path.GetFileName(userNameWithMachineName); HighOnCodingWanna get high! ...

Query logged in user
First, the obliquity I am a newbie to ASP! I have Googled for while now but cannot seem find a solution to my problem. I am trying to display the details of the logged in user (UserName). Below is my code but nothing is displayed by the query. The Label ID="lblIdentity" does display the logged on users username correctly . Any help would be appreciated.   ASPX page…     <asp:Label ID="lblIdentity" runat="server" Style="z-index: 104; left: 14px; position: absolute;             top: 28px" Text="Label">...

Create a new user and email then user name and password
Hello I am using CreateUser method to create a new user when a new person is inserted into a database. (On FormView_ItemInserted event) I would like  to then email the new user thier username and password.  Can anyone help with how to do this please. Thanks  there are bunch of examples on the internet.  Here is one from scott that is very good.http://aspnet.4guysfromrolla.com/articles/072606-1.aspx Peter Kellnerhttp://73rdstreet.com and blogging athttp://PeterKellner.netMVP, ASP.NET Thanks for the link.But what I want to achieve is to send a username an...

pass user name as a parameter in a query
just getting started with my first db driven web project... I am using a MySql database with membership and roles and got that working fine. I have tables containing details of courses that users are enrolled on etc. and want to display a list of courses for the user that is signed in, so he can continue lessons on the one of his choice. How do I pass the users name to the database query for a DataList control. So far I have tried lots of variations of the following: <asp:SqlDataSource ID="dsCourses" runat="server" ConnectionString="<%$ ConnectionStrings:xxx %>"   ...

Authenticate user on domain without user supplying name and password
If a user requests an asp .net form on our intranet from a windows 2003 server, can the user get the requested page without supplying a name and password but still be authenticated on the domain. It seems possible since the user is already logged into the domain on the local computer. I need to capture the users login name, so annonymous access won't work, and I don't want the user to have to supply a name and password for simplicity. Any suggestions? You could put all the users into an active directory group, then check their membership with that group.  If they are not a member...

Pass value from one User Control to another User Control
I have tried to pass value from one user control to another user control. Because of Page Auto Postback, Contrls are load before page is loaded. So I get the value in 2nd UC after one more post back operation. I have visited many suggessions but I cant solve this. Is anyone can help me to solve this. Thank U mfhossain@gmail.com Muhmmad Fakhrul HossainEmail: mfhossain@gmail.comPhone: +88 01715 111512Web: http://www.mfhossain.info You'd have to do that through the parent probably in it's Page_Load event handler.   userControl1.publicProperty = userControl2.publicProperty;  ...

Problems passing values from parent user control to child user control
PARENT (EmployeeView.ascx) <asp:TextBox id="txtEID" runat="server">3</asp:TextBox> <asp:PlaceHolder id="plhDetail" runat="server"></asp:PlaceHolder> Private Sub lnkGeneral_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles lnkGeneral.Click plhDetail.Controls.Add(Me.LoadControl("ucGeneral.ascx")) End Sub Public Property pEID() As Integer Get Return CInt(txtEID.Text) End Get Set(ByVal Value As Integer)...

Passing Values between user controls VB.net
Hi, I am a newbee to .net and have been asked to look at an existing project.I have an aspx page called EditModule.aspx, this page contains 3 user controls named:BasicModuleInformation.ascxModuleLeaders.ascxModuleStudents.ascxThe user control BasicModuleInformation contains a dropdown list named "dropSchoolDept" What I want to do is pass the value of BasicModuleInformation_dropSchoolDept to ModuleLeaders_DropDept and ModuleStudents_DropDept.I have set up a session:Set Value:    Protected Sub setSession_SelDept()        Session("...

System.NetMail
I am using the new System.Net.Mail and the code below works ok for certain emails. The person with the messaging.sprintpcs.com receives an emila but the person with MyDomain.com does not. 1. Any ideas why? 2. When people login into this ASP.NET webform, I retreive the persons email server, user name and password. When the email goes out, I need to use the email server of the person logged in. I have not been able to figure out how to pass the user name and password? 3. Should I be doing this a different way, is smpt the correct way? Dim client As New System.Net.Mail.Smt...

how to get a value passed to a user control into a query
I am getting the error in an ascx file that says        Invalid column name 'Label'        I think from line in bold type. The error message does not say which line though. The value is sent in this way from an aspx file        <prefix1:name1 TestData='<%#eval("demid")%>' ID="ctrlTester1" runat="server" /> How can I get that value demid  to the WHERE expression in the query?  <%@ Import Namespace...

Web resources about - How secure passing user credentials like user name, password values in query string to httphandler - asp.net.handlers-modules

Credential Recordings - Wikipedia, the free encyclopedia
Credential Recordings is a Nashville-based record label , focusing generally on the pop rock genre. It began branching out when it agreed on ...

GraphicMail, Janrain Engage Enable Email Newsletter Signup Via Facebook Credentials
... Janrain Engage to its clients’ customizable newsletter signup forms, allowing them to sign in with their Facebook account information, or credentials ...

Credentials in the slush give Gai Waterhouse an edge in Doncaster Mile
Mud and slush credentials, human and horse, promise to give Gai Waterhouse an edge, particularly with Pornichet in the Doncaster, on Monday's ...

Abbott details his credentials
Abbott details his credentials

Facebook attacked with credential-harvesting malware - MediaFire, applications, Data Protection - Social ...
Dorkbot variant infection unusual because the criminals exploited a flaw in the file-sharing site MediaFire to spread the malware

Maxwell ready to express Test credentials
GLENN Maxwell’s fearless attitude to strokeplay has made him a star of short-form cricket and a Test wannabe.

Obama mocks Romney military credentials
Sky News is Australia's leader in 24-hour news. Barack Obama has aimed to belittle rival Mitt Romney's commander-in-chief credentials, accusing ...

Malcolm Fraser's unrealised manifesto - an Australian republic with green credentials
The political party Malcolm Fraser was working to set up when he died was to stand for an Australian republic which was reconciled with its first ...

Top AFL draft prospect Christian Petracca proves his midfield credentials
You might already know Christian Petracca. If you like football, like coffee and like to grab one inside the MCG then there's a very good chance ...

Irish shed inhibitions to prove World Cup credentials
Joe Schmidt's team use their licence to attack to show doubters they can win with flourish, writes Oliver Brown

Resources last updated: 12/20/2015 11:28:41 PM