The AJAX Framework in NET 3.5 provides a web service to help us accomplish that: AuthenticationService (http://msdn.microsoft.com/en-us/library/bb386582.aspx).
If you are already on an encrypted HTTPS page, this works great. However, if you are serving out that nice & functional page over HTTP, because frankly, you don't need images or text encrypted, and would rather not use up overhead just for the sake of a login form, you may have a problem.
Specifying the line below in your web.config won't really do anything.
<authenticationservice enabled="true" requiressl="true"></authenticationservice>
Changing the protocol to HTTPS in your path won't help you either:
Why? Because it so happens that this version of AJAX, included in .NET 3.5 does not support cross-domain proxy authentication.
So, how do you solve the problem of making sure your user's credentials don't get traced through unencrypted HTTP headers while keeping the page served over HTTP and not redirecting him/her anywhere?
Before the password gets posted to your ASP.Net form, you encrypt it with MD5. MD5 is a one-way encryption algorithm that cannot be decrypted. To use it, you:
- Encrypt the submitted password value.
- Encrypt the DB-stored password associated with the submitted email address.
- Compare the two values. If equal, you can deem the authentication successful.
With no need to reinvent the wheel, I found a great script for encrypting strings into MD5 format here:
Great work Paul!
With the shortcomings of the AJAX toolkit inside of .NET 3.5 Framework, Visual Studio 2008 is still a great IDE and before you go switching to PHP, all it takes is some time, creativity, and improvisation.
Is it safe to use client-side encryption?
I will post some code later. I welcome your feedback.
Visual Studio 2008, .NET 3.5, AJAX