开发者_如何转开发<forms name=\".ASPXAUTH\" protection=\"All\" loginUrl=\"~/Account/Login.aspx\" timeout=\"2880\"" />
开发者

ASP.net Forms Authentication - Protection not working for me

in my web.config file i've got the following:

<authentication mode="Forms">
 开发者_如何转开发  <forms name=".ASPXAUTH" protection="All" loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>

But when i log in and watch the traffic with fiddler, i still can see the password in plain text. I have no idea whats wrong.

Regards,

matt


I only know of two solutions to this:

  1. Use https. Best solution, moste secure.
  2. Use a javascript library (sha1) to hash the password before sending it (and CLEAR the original password field!). Also use a randomly generated salt that is different for every login, store the salt on server and in an hidden field, so you can check the salt too (user may not change it).


Forms authentication only addresses access to URL endpoints within your application, but it does not address how the data is being transferred to and from the clients - what you are seeing through Fiddler is the normal HTTP traffic.

Usually at least the login page of all major sites is done via HTTPS, so you cannot spy on the plain text HTTP.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜