security when calling a webservice or aspx page with password
https://stackoverflow.com/questions/3596640
-
02-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm wondering if I have a web service like this:
Login(username, password)
or a page like
login.aspx?u=username&p=pass
If they were called from a desktop app, which would be more secure. From what i've read a sniffer can read the request and figure out the url. I AM hashing the passwords before putting them in the request, but if someone sees the request url with the params/query string then they can make the request with the same values!?
How easy/hard is it for a sniffer to figure out the hashed password? Should I encrypt the password and username before putting it into the url and web service? Any other options I have?
I'm asking because the data is NOT all that sensitive but basic security should exist at a minimal performance cost
NOTE: SSL is NOT an option
Solution
Use SSL to create a unique session token via a login service. Use that session token over standard HTTP for the rest.
Your login session will need to take the username/password as a POST otherwise the values will be visible in the URL request to the server and possible snooping on the network.
OTHER TIPS
Just use HTTPS to encrypt the channel. That way you don't have to worry about sniffers.
If you're working with a bank, you may be obliged to use SSL. Check your local legislation - I think this will also determine what is sensitive data.
