0

I have the following Post action method which accept username & password, connect to Active Directory and get the user info in JSON format after validating the credentials:

[HttpPost]
public ActionResult UserInfo(string username, string password)
{

now since this is a POSt action method, will IIS logs keep track of the entered parameters? in this case the username and password? If the answer is yes, then how i can secure those parameters? Thanks

Lex Li
  • 60,503
  • 9
  • 116
  • 147
John John
  • 1
  • 72
  • 238
  • 501
  • Instead of asking such questions from a group of developers who focus on writing code, you should consider talking to the security team in your organization or security centric sites like https://security.stackexchange.com/questions Above if you are going to verify user credentials against Active Directory, you should never pass them in clear text. Never. – Lex Li Oct 18 '22 at 04:16

1 Answers1

-1

The params in your code snippet can be found in IIS logs.

If you want to protect the params, you should use something like below.

[HttpPost("Post")]
public string bb([FromForm]string name)
{
    return name;
}

When you are using something like [FromForm], not params. Then the data will hide in http post request.

Jason Pan
  • 15,263
  • 1
  • 14
  • 29
  • 1
    now since i wrote this question, i test thing, now if i pass the `username` & `password ` as part of the http body and not as part of the http parameters those will not be stored inside iis logs – John John Oct 17 '22 at 12:54
  • @johnGu [That's exactly what I'm trying to say](https://i.stack.imgur.com/bR6zo.png), [frombody] [fromform] is fine. – Jason Pan Oct 17 '22 at 13:34
  • I wonder how this approach can be "fine". User credentials are still passed in clear text, though not recorded in IIS log files, and there are significant risks remaining. Note that Active Directory provides much more secure approaches to verify user credentials, instead of passing secrets in clear text. – Lex Li Oct 18 '22 at 04:17