• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to securely send password to website

 
Ranch Hand
Posts: 385
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I would like to use form authentication, i.e. login page for users to authenticate. However I don't want neither user name nor password to be sent unencrypted. Is there a way to do it (using form authentication...)? Even my bank uses form authentication and only once I enter login/password it switches to HTTPS, so I assume my password is not transfered securely?
My best regards
 
Vladas Razas
Ranch Hand
Posts: 385
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Clarification: I write servlets and JSP. I am not trying to send password to other websites, I just want users to login to my site securely.
 
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
HTTPS negotiates a secure (encrypted) channel between the client and the server before any data is sent, so the username and password are encrypted when being sent to the server even if the secure connection is negotiated after you press the 'login' button.
A couple of side points to make though:
* You have to POST the data, if you use the GET method to send the username and password they aren't secure.
* Also, never ever send the password back to the client. Not to pre-populate a password field, not as a password reminder, not in a registration page, not even if the page is encrypted, never, not ever.
* If you want to encrypt your site, you'll need a signed certificate. You can buy an official one for production sites, or you can create your own self-signed certificate if you are just playing around.
Dave
 
Vladas Razas
Ranch Hand
Posts: 385
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
But the user will also have to get certificate?
What's wrong with password postback? It's not encrypted?
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic