Search code examples
asp.netsecuritywebservices-client

security when calling a webservice or aspx page with password


I'm wondering if I have a web service like this:

Login(username, password)

or a page like

login.aspx?u=username&p=pass

If they were called from a desktop app, which would be more secure. From what i've read a sniffer can read the request and figure out the url. I AM hashing the passwords before putting them in the request, but if someone sees the request url with the params/query string then they can make the request with the same values!?

How easy/hard is it for a sniffer to figure out the hashed password? Should I encrypt the password and username before putting it into the url and web service? Any other options I have?

I'm asking because the data is NOT all that sensitive but basic security should exist at a minimal performance cost

NOTE: SSL is NOT an option


Solution

  • Use SSL to create a unique session token via a login service. Use that session token over standard HTTP for the rest.

    Your login session will need to take the username/password as a POST otherwise the values will be visible in the URL request to the server and possible snooping on the network.