Can User Credentials be captured when using Forms Authentication
Question
如果我正在使用在标准HTTP上运行的Forms Authentication,则当用户在登录ASP.net表单中输入其用户名和密码时,是否可以捕获此信息(不包括密钥记录软件),因此他们的数据安全吗?
1 answers
solution1
0 ACCPTED 2015-11-17 16:39:55
Authentication running on standard HTTP, when the user enters their username & password into the login ASP.net form, can this info be captured?
Short Answer : Absolutely. Everyone and anyone can capture this information once it is submitted.
Long Answer : Anyone and every can see all traffic using the HTTP (or HTTPS) protocol. However, through the provided security (encryption) afforded by HTTPS, that data would not be of any value to someone that can't decrypt it.
Therefore, if your login form is submitting user credentials (as well as loading the login form, but I'll come back to that in a moment) over HTTP, that user's data is insecure and can be captured as it is being sent plain text.
But be aware, as important as it is to send sensitive data (such as credentials) over HTTPS, its just as important to load the login form over HTTPS as well.
Why?
Because, while the form is being loaded over HTTP, it allows for man-in-the-middle (MiTM) attacks, and say, inject a keylogger). So even though they submit their credentials over HTTPS, the damage was already done, when they were inputting their credentials.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.