Protection not working for me

2018-06-19 20:16:43

in my web.config file i've got the following:

<authentication mode="Forms">
   <forms name=".ASPXAUTH" protection="All" loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>

But when i log in and watch the traffic with fiddler, i still can see the password in plain text. I have no idea whats wrong.

Regards,

matt

I only know of two solutions to this:

Use https. Best solution, moste secure.

Use a javascript library (sha1) to hash the password before sending it (and CLEAR the original password field!). Also use a randomly generated salt that is different for every login, store the salt on server and in an hidden field, so you can check the salt too (user may not change it).

Forms authentication only addresses access to URL endpoints within your application, but it does not address how the data is being transferred to and from the clients - what you are seeing through Fiddler is the normal HTTP traffic.

Usually at least the login page of all major sites is done via HTTPS, so you cannot spy on the plain text HTTP.

链接地址: http://www.djcxy.com/p/55850.html

上一篇: ASP.NET授权，显示浏览器登录对话框

下一篇: 保护不适用于我