File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes How to securely send password to website Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "How to securely send password to website" Watch "How to securely send password to website" New topic
Author

How to securely send password to website

Vladas Razas
Ranch Hand

Joined: Dec 02, 2003
Posts: 385
Hi,
I would like to use form authentication, i.e. login page for users to authenticate. However I don't want neither user name nor password to be sent unencrypted. Is there a way to do it (using form authentication...)? Even my bank uses form authentication and only once I enter login/password it switches to HTTPS, so I assume my password is not transfered securely?
My best regards
Vladas Razas
Ranch Hand

Joined: Dec 02, 2003
Posts: 385
Clarification: I write servlets and JSP. I am not trying to send password to other websites, I just want users to login to my site securely.
David O'Meara
Rancher

Joined: Mar 06, 2001
Posts: 13459

HTTPS negotiates a secure (encrypted) channel between the client and the server before any data is sent, so the username and password are encrypted when being sent to the server even if the secure connection is negotiated after you press the 'login' button.
A couple of side points to make though:
* You have to POST the data, if you use the GET method to send the username and password they aren't secure.
* Also, never ever send the password back to the client. Not to pre-populate a password field, not as a password reminder, not in a registration page, not even if the page is encrypted, never, not ever.
* If you want to encrypt your site, you'll need a signed certificate. You can buy an official one for production sites, or you can create your own self-signed certificate if you are just playing around.
Dave
Vladas Razas
Ranch Hand

Joined: Dec 02, 2003
Posts: 385
But the user will also have to get certificate?
What's wrong with password postback? It's not encrypted?
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: How to securely send password to website