Hi all, I want to create an asp website and allow user to register as member. But I have question about the password security: 1.) Is it safe to use the "Session" command to transfer password and save inside the MS SQL? If not, what command should I use? 2.) If "Session" command is safe to use, then should I add session.abandon to release all the data? 3.) How to encrypt the password? 4.) Any website have the complete asp programming example on how to create the member registration? Thanks.
when storing password in db: make sure to encrypt data. SQL Server has encryption built in, Session should be safe to carry around Token but NEVER store that data in cookies.
a. Session is a server side object - not a command. It "lives" inside the WEB server so it is safe to use it for keeping password. b. For saving the password in the database you can : 1. Save it as plain test - this is bad. 2. Save it encrypted - better then plain text but still bad since it can be decrypt. 3. Save the hash result of the password - this is the best way (http://en.wikipedia.org/wiki/Hash_function) You should do it anyway when the user logs out to free server resources when they are not needed (they will be automatically freed when there is timeout) Don't encrypt - hash it http://www.codeproject.com/ - search it Notes: 1. Don't implement anything by yourself - get a working library of code for it. 2. If you are developing a commercial site you can't afford not to get a security expert to advice you. 3. Use SSL for the pages which contains sensitive information 4. Don't store the password in the session - store the login status and the user's information. 5. Remember that if you don't use SSL for all your pages then the attacker can preform session hijacking attack Check out - http://en.wikipedia.org/wiki/Session_hijacking