Hi I have an important task while being completely lost.
嗨,我完成了一项重要任务。
My team is building an external website and have already purchased the certificate. I am looking into the asp.net authentication styles and looks like forms authentication is the way to go. However after looking at the microsoft documents link it says that the login information can be seen in cleartext. Can anyone please point me out in the right direction or let me know where to start this login page?
我的团队正在建立一个外部网站,并且已经购买了证书。我正在研究asp.net身份验证样式,看起来像表单身份验证是要走的路。但是在查看了microsoft文档链接之后,它说明了可以用明文看到登录信息。任何人都可以指出我正确的方向或让我知道从哪里开始这个登录页面?
We have a cybersecurity team that looks at this and will pass or fail our site that is why I am asking.
我们有一个网络安全团队,他们会关注这个问题,并会通过或失败我们的网站,这就是我要问的原因。
2 个解决方案
#1
0
The cross-site request forgery (CSRF) issues is the primary concern here. If you are using SSL/HTTPS on your site then the password might be sent in clear text, but over an encrypted connection.
跨站点请求伪造(CSRF)问题是此处的主要问题。如果您在站点上使用SSL / HTTPS,则密码可能以明文形式发送,但通过加密连接发送。
#2
0
The built in default authentication automatically hashes the passwords in the database. It is simple to configure ssl inside IIS . Ontop of your controllers you can use the [ValidateAntiForgeryToken] data annotation to prevent csrf attacks. also put it inside the view as well with htmlhelpers.Im honestly baffled that passwords are sent in clear text. If your super worried about security what I do Is I only authorize certain users to view pages before deployment.
内置的默认身份验证会自动对数据库中的密码进行哈希处理。在IIS中配置ssl很简单。在您的控制器上,您可以使用[ValidateAntiForgeryToken]数据注释来防止csrf攻击。还把它放在视图中以及htmlhelpers.Im老老实实地感到困惑,密码以明文形式发送。如果你的超级担心安全性我做的是我只授权某些用户在部署之前查看页面。
#1
0
The cross-site request forgery (CSRF) issues is the primary concern here. If you are using SSL/HTTPS on your site then the password might be sent in clear text, but over an encrypted connection.
跨站点请求伪造(CSRF)问题是此处的主要问题。如果您在站点上使用SSL / HTTPS,则密码可能以明文形式发送,但通过加密连接发送。
#2
0
The built in default authentication automatically hashes the passwords in the database. It is simple to configure ssl inside IIS . Ontop of your controllers you can use the [ValidateAntiForgeryToken] data annotation to prevent csrf attacks. also put it inside the view as well with htmlhelpers.Im honestly baffled that passwords are sent in clear text. If your super worried about security what I do Is I only authorize certain users to view pages before deployment.
内置的默认身份验证会自动对数据库中的密码进行哈希处理。在IIS中配置ssl很简单。在您的控制器上,您可以使用[ValidateAntiForgeryToken]数据注释来防止csrf攻击。还把它放在视图中以及htmlhelpers.Im老老实实地感到困惑,密码以明文形式发送。如果你的超级担心安全性我做的是我只授权某些用户在部署之前查看页面。