I'm setting up my first site using the asp authentication provider and using the built in asp.net login control.
My question, is the password encrypted or hashed as it's sent to the server using the asp.net login control? or do I need to use https/ssl to accomplish this?
Thanks
Go with HTTPS.
Per MSDN, "By default, the ASP.NET login controls work in plain text over HTTP. If you are concerned about security, use HTTPS with SSL encryption."
Unless you are using HTTPS, no. ASP.Net is leveraging the available HTML controls, and the data posted back to the server is in plain text. I would use SSL/HTTPS if you want your authentication to be secure.
The any text based data is sent as is to the server regardless of the language used by the server as this is controlled by the HTML Framework. You can create a Javascript encryption or hash algorith and use that prior to submitting the form data.
However the most secure method would be to use HTTPS.
The login control works as a normal form post. There is no encryption or challenge-response method. You must use SSL if you want any security.