0

I am trying to send a SecureString to a web api controller, but it is always giving me a length of 0 at the controller's part.

Here's the client's side:

Here's the client's side

As you can see, it has a non-zero length at the time of serialization. By the time the controller gets it, it's 0.

Here's the controller's side

Here's the controller's side

Everything else that's needed gets set correctly. It's not null, but the length is 0.

Kristian
  • 2,456
  • 8
  • 23
  • 23
Jacko
  • 1
  • 1
  • 3
  • 4
    SecureString is not serializable (by purpose) – Klaus Gütter Mar 08 '21 at 20:19
  • 1
    and isn't recommended for usage anymore – Pavel Anikhouski Mar 08 '21 at 20:37
  • What can I do then? my WPF has a passwordbox – Jacko Mar 08 '21 at 20:48
  • `PasswordBox` has a `Password` property; using the `SecurePassword` property is not mandatory, as far as I know. There is no point in trying to keep the password as a `SecureString` if it's going to be sent out over the wire; it will likely pass through many layers of code that will not try to ensure the password is never copied anywhere in memory. (This is the main reason `SecureString` is no longer recommended; it's just not realistic. You are better off investing in securing the machine as a whole.) – Jeroen Mostert Mar 08 '21 at 20:53
  • But, is there a reason that the object is getting sent, but is getting erased? – Jacko Mar 09 '21 at 16:54
  • I doubt it's getting sent at all (unless you can show otherwise with a packet dump). You're just getting a default (empty) instance of a `SecureString`. – Jeroen Mostert Mar 09 '21 at 18:11

0 Answers0