tags:

views:

499

answers:

4
Q: 

How to pass credentials securely in a http url?

I have a public facing web page in .Net that I would like to put anchor tags in that go to a web page produced by a Java server in my distributed system. For example, Bob logs in from the WWW and goes to the home page. I would like to have a link to http://javaserver/form.jsp?username:Bob in the home page. But that would be insecure if someone on the internal network was snooping. They could just put in that url and act as Bob through a replay attack. Encoding the username is also open to a replay attack. Any ideas? Thanks!

https://javaserver/form.jsp?username:Bob still opens me to a replay attack by just putting in that url.

A: 

I think the best solution is to use https. This way anything you send to Bob is secure from prying eyes.

Michiel  2009-06-20 16:07:29
https will not help here because the url would still be the same...
LWoodyiii  2009-06-20 16:11:00
+1  A: 

Use cookies and SSL in your authentication. I'd be surprised if you aren't already.

SpliFF  2009-06-20 16:08:06
I started thinking the same thing, but it wouldn't work if he is passing to a new domain, right?
Joel Potter  2009-06-20 16:09:41
@Joel: it wouldn't work with all domains, but in that case, you need more than this simple mechanism.
John Saunders  2009-06-20 16:25:51
A: 

hmmm - just thinking out loud - if its not https, its open to snooping. You could encrypt the username with a timestamp so that the window is brief. not a great answer, but since http is not secure....

NickAtuShip  2009-06-20 16:08:31
+2  A: 
  • Use https on the public and the private servers
  • Send the user id and add a long and random token that will validate the user (to be delegated to the original server if necessary).
  • Use POST requests if you can

The random token should be created with a cryptographically secure random number generator. It should also be changed/invalidated after a certain amount of time. If you are going to delegate the verification to the public server, you will also need to authenticate the delegating (local) server in a secure manner. To prevent brute-force attacks, block repeated invalid attempts.

There are quite a few pitfalls, so be wary of implementing any sort of security mechanism yourself.

molf  2009-06-20 16:11:20

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security