How to read username and password from http GET in .NET MVC controller?

Question

How can I read the username and password from http GET in .NET MVC controller? I am using a jQuery $.ajax call and I am passing username and password in as a setting.

1. Is this secure?
2. If my server is ASP.NET MVC 2 how can I retrieve the username and password from the request?

My end goal is to make a secured jsonp call.

here is how I am making the call in javascript

    $("#getSomethingButton").click(function () {
        var username = "myusername";
        var password = "mypassword";
        $.ajax({
            url: 'people/getSomething',
            username: username,
            password: password,
            dataType: 'jsonp',
            jsonpCallback: 'onGetSomething'
        });
    });

here is how MVC receives the request

public string GetSomething(string callback)
{
    string data = "{data: 'test'}";
    return string.Format("{0}({1});", callback, data);
}

if I watch the request in fiddler this is how it looks

http://myusername:mypassword@localhost:29161/people/getSomething?callback=onGetSomething

If and when this is put in production it will be SSL/HTTPS only but of course the query string is not secured by that.

So the question is can I in any possible way secure a password with a jsonp GET request?

Answer 1

To send the username/password using AJAX:

// Obviously the username/password should not be hardcoded but read from an input
$.get('/home/foo', { username: 'foo', password: 'secret' }, function(result) {
    alert('username/password sent');    
});

To read them:

public ActionResult Foo(string username, string password)
{
    ..
}

Is it secure?

Only if you are using HTTPS.

I would recommend you sending sensitive information like this only with POST verb ($.post).

Answer 2

Again, be very careful while passing sensitive data using GET