-2

I turned on the fidder capture and entered username and password of my application and clicked login button. Now the username and password is displaying in the fiddler.

I am using primefaces. I dont want to show the password.

I added method="post" in form. but it doesnt work. Please help.

Fiddler Capure is below:

POST http://localhost:8186/myapp/ui/login.xhtml HTTP/1.1

Host: localhost:8186

Connection: keep-alive

Content-Length: 391

Accept: application/xml, text/xml, /; q=0.01

Origin: http://localhost:8186

X-Requested-With: XMLHttpRequest

Faces-Request: partial/ajax

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://localhost:8186/myapp/ui/login.xhtml

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Cookie: JSESSIONID=025A4CEED3F44EEA80E08B00154EC1EB

javax.faces.partial.ajax=true&javax.faces.source=myloginForm%3AloginButton&javax.faces.partial.execute=%40all&javax.faces.partial.render=myloginForm%3AouterPanel+myloginForm%3AstatusMsgPanel&myloginForm%3AloginButton=myloginForm%3AloginButton&myloginForm=myloginForm&myloginForm%3AuserName=user1&myloginForm%3Apassword=pass1&javax.faces.ViewState=5967922235798284125%3A-8394345289058332812

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
AAPJ
  • 37
  • 1
  • 10
  • Plesse add the full capture. So far I don't See any hint for POST "does not work". BTW: as long as you use http instead of https, all data are naturally transported in plain text. – Selaron Jul 10 '19 at 21:29
  • added full capture. I have verified in production environment where it has https:\//produrl/myapp/login.xhtml HTTP/1.1 But still password is exposed. – AAPJ Jul 10 '19 at 21:36
  • This has completely nothing to do with JSF. It's in the context of this question merely a HTML form based MVC framework which produces HTML output and consumes HTML form submits. You would have exactly the same problem when using any other HTML form based MVC framework such as Spring MVC, Struts, etc or even a different language such as PHP, ASP.NET-MVC, etc. To solve your specific problem just use HTTPS instead of HTTP. – BalusC Jul 11 '19 at 16:13
  • In prod environment, we have HTTPS, but still the fiddler capture is the same. – AAPJ Jul 11 '19 at 17:16

1 Answers1

1

You should understand that any HTTP message by default isn't encrypted. That means that all the data is moved via insecure connection. You may even notice a warning by the browser that your connection isn't safe and you should not share any private data. The solution for this is SSL/TLS encryption. It allows you to encrypt your connection from both sides so the information would be much harder to get. Depending of your programming language, this part should be done from the server side.

Sean Tashlik
  • 176
  • 8
  • To be precise: insecure connection means that all the data is sent as it is, readable by the format of mime in the HTTP messages. – Sean Tashlik Jul 10 '19 at 22:02