Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to safely include password in query string

Tags:

c#

passwords

query-string

asp.net

encryption

Is it possible to safely include a password in a query string for a c# asp.net site.

Few assumptions and things I know -

  1. The site does not and will not have links/images/javascript/analytics to/from other sites. So no referrer links to worry about.
  2. ALL communication with the web browser will be over https.
  3. I know that the query string will remain in the history of the computer.
  4. More than just the password/username is needed to login. So simply pasting the url back into the browser will not result in a login.

I know the site may be susceptible to cross site scripting and replay attacks. How do I mitigate these?

Given the above scenario, how should I include a password in a query string?

Please don't ask me 'why', I know this is not a good idea, but it is what the client wants.

like image 535
tom Avatar asked Nov 19 '25 01:11

tom

1 Answers

SSL

You can safely send the password to a web server using a SSL connection. This encrypts all the communication between the client/server.

Hide In The Header

Basic authentication protocols place the user/password information in the HTTP request header. C# and many other web server languages can access this information, and use it to authenticate the request. When mixed with SSL this is very safe.

Register An Application Key

If none of the above is possible, then it's recommended that you create a unique key for each user. Rather then send their password this key is used. The advantage is that the key is stored in the database and can be removed. The user's password remains unchanged, but they must register again to get a new key. This is good if there is a chance someone could abuse their key.

Perform Hand Shaking

Hand shaking is where the client makes a request to the server, and the server sends back a randomly generated key. The client then generates a hash from that key using a secret, and sends it back to the server. The server can then check if the client knew the correct secret. The same thing can be done where the password is the secret instead and the client includes username details in the request. This can authenticate without ever sending the password.

Encrypt Password

If none of the above are possible options, then you could attempt to use JavaScript to encrypt the password before it's sent via an open URL. I found an open source version the AES block cipher. The project is called JSAES and supports 128 to 256 bit encryption. There might be other JS libraries that do the same thing.

like image 73
Reactgular Avatar answered Nov 21 '25 14:11

Reactgular
Sign in to Comment

Related questions

How to bind List<> to dataGridview C#
Error in inserting statement when inserting
Convert KeyValuePair<int,string> to an int[] array and string[] array

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!