Hi, I would like to use form authentication, i.e. login page for users to authenticate. However I don't want neither user name nor password to be sent unencrypted. Is there a way to do it (using form authentication...)? Even my bank uses form authentication and only once I enter login/password it switches to HTTPS, so I assume my password is not transfered securely? My best regards
Vladas Razas
Ranch Hand
Joined: Dec 02, 2003
Posts: 385
posted
0
Clarification: I write servlets and JSP. I am not trying to send password to other websites, I just want users to login to my site securely.
HTTPS negotiates a secure (encrypted) channel between the client and the server before any data is sent, so the username and password are encrypted when being sent to the server even if the secure connection is negotiated after you press the 'login' button. A couple of side points to make though: * You have to POST the data, if you use the GET method to send the username and password they aren't secure. * Also, never ever send the password back to the client. Not to pre-populate a password field, not as a password reminder, not in a registration page, not even if the page is encrypted, never, not ever. * If you want to encrypt your site, you'll need a signed certificate. You can buy an official one for production sites, or you can create your own self-signed certificate if you are just playing around. Dave
Vladas Razas
Ranch Hand
Joined: Dec 02, 2003
Posts: 385
posted
0
But the user will also have to get certificate? What's wrong with password postback? It's not encrypted?
0
