Security

[shawc]

To begin with all, all data is passed via https protocol. I have to log each user into two different systems. I have a login screen that takes username & password. This posts to an asp page that validates the user in a database. If the user is validated, the following code is used to send the username/password to the second system for additional validation.

======Seamless Login Code===============
%>
<form name=LoginBridge action='Validate.aspx' method='post'>
<input type='hidden' name='usr_Name' value='<%Response.Write(strUserName)%>'>
<input type='hidden' name='usr_Password' value='<%Response.Write(strUserPassword)%>'>
</form>

<script language=javascript>
document.LoginBridge.submit()
</script>
<%

Please note that the second system exists because we are in the process of migrating to the sole use of this system. I think there will be a 6 month to 1 year migration time frame.

I would like to know how vurnerable it is to pass each user's username/password via https protocol.

[M0rtym0use]

shawc,
it would be more secure to use session variables, these are do not store the fields as hidden fields like you have coded and when this data is posted it effectively posts to data in a hidden querystring i am curious though are you actually developing in .net as the form code is standard html/asp code.

you can also use a check at the top of each page so that if their session times out they are forced to login again ie they leave a public computer with secure info desplayed and someone else uses the machines and accesses this data.

<%
if session("session name") = "" then
response.redirect("login.asp")
end if
%>

hope this answers you question slightly. but ssl should be secure enough but storing details in hidden fields is not generally a good idea!

MM