dcsimg
Results 1 to 6 of 6

Thread: Can I send a JSON string with a password in a POST on HTTPS?

  1. #1

    Thread Starter
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    17,852

    Can I send a JSON string with a password in a POST on HTTPS?

    Is it safe to send a POST to a web method with a JSON string containing a clear text version of a password for authentication?

    Who could sniff that password on the way from client to web method?

    I saw some posts a while ago on "salting" a password - is that something you do in JS on the client side and then "unsalt" on the server?

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  2. #2
    Frenzied Member MattP's Avatar
    Join Date
    Dec 2008
    Location
    WY
    Posts
    1,227

    Re: Can I send a JSON string with a password in a POST on HTTPS?

    The best solution would be to use SSL.

    If that's not a possibility you may be able to use: jQuery.SHA256.js.
    This pattern in common to all great programmers I know: they're not experts in something as much as experts in becoming experts in something.

    The best programming advice I ever got was to spend my entire career becoming educable. And I suggest you do the same.

  3. #3

    Thread Starter
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    17,852

    Re: Can I send a JSON string with a password in a POST on HTTPS?

    It is HTTPS - so that's SSL - that makes it ok to send as clear text in JSON?

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  4. #4
    Frenzied Member MattP's Avatar
    Join Date
    Dec 2008
    Location
    WY
    Posts
    1,227

    Re: Can I send a JSON string with a password in a POST on HTTPS?

    Oops missed the HTTPS from the thread title.

    As long as you're in an SSL tunnel you should be fine. If you want to go the extra mile the SHA256 plugin seems easy enough to implement.
    This pattern in common to all great programmers I know: they're not experts in something as much as experts in becoming experts in something.

    The best programming advice I ever got was to spend my entire career becoming educable. And I suggest you do the same.

  5. #5
    ASP.NET Moderator mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,174

    Re: Can I send a JSON string with a password in a POST on HTTPS?

    A man in the middle attack could sniff your password but that's where your cert comes in, make sure you buy a cert from a CA that is 'recognizable' and well known so that the user "trusts" it. Don't hash/salt your passwords before sending it as you are then giving away how you store the passwords in the database. Perform hash/salt on the server itself.

  6. #6

    Thread Starter
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    17,852

    Re: Can I send a JSON string with a password in a POST on HTTPS?

    Some of my customers use AD authentication - so I need to send "original text" of password to authentication service.

    We just created an "invitation" technique to get some "contacts" to login with there emails and create an account with a password. I would normally store these passwords in clear text in SQL - but that seems like a bad idea.

    What is the typical method of salting a password in VB.Net type code on the server? Just create a SECURESTRING and store that??

    Or some simple one-way encryption?

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Featured


Click Here to Expand Forum to Full Width