Intercept the user credentials before they are sent off for verification

Question

Our site requires the password be passed onto another page to auto log into vendor sites which are brought in via iframe.

Since passwords are stored as a hash value in our site, the only way I can see being able to get the password from the page that needs it is to store it as a session variable, or pass it along on the querystring, when the user logs in (they enter it into the password textbox).

Our site does have a dedicated SSL certificate, so to my knowledge passing the credentials should be decently safe.

I can't figure out how the DNN login is working in order to intercept the password. Does anyone know enough about the DNN login or logins in general to be able to give me advice on storing the credentials for later use?

Any suggestions for alternatives to this would be helpful as well.

Thanks,
Matt

Answer 1

There are several different password formats you can choose to use with DNN. You can change the password formats by making changes to the web.config file in the

AspNetSqlMembershipProvider key of the membership section.

Here are the options available for the password formats:

passwordFormat="[Clear|Hashed|Encrypted]"   
Storage format for the password: Hashed (SHA1), Clear or Encrypted (Triple-DES)

The passwords are stored in the AspnetMembership table. If you are using the Encrypted format, then you should be able to pull the password back out.