Menu
I am helping test a .NET application that accepts a user's name and password. The application runs over SSL and is hosted via an iframe on a page that is also setup with SSL (so the user can see the https on the parent page and feel confident about entering information).
So, to be clear, there is a page https://www.mydomain.com/mypage.aspx and, inside that page, there is an iframe which references a .NET application on the same server as https://www.mydomain.com/apps/myapp.aspx
When the user submits the page, I am watching the headers via the Filezilla browser addon "Live HTTP Headers". To my dismay, the form data, including user name and password, is displayed in plaintext in the POST section of the headers.
My conclusion is that the information is not being encrypted. Is that correct? If so, what is the best solution?
257
asked Feb 27 '26 20:02
If you are posting those form variables over https/SSL then the actual transmission will be encrypted. You'll be able to view them in the browser extension, but the browser will have to encrypt them to send them to the server via SSL so long as the post is actually posting to https:// not http://
You shouldn't then return the username password pair to the user but should then authenticate the user and then if it matches use something like forms authentication to generate a token that authenticates them for the current session.
192
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
