Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
0
Helpful
3
Replies

Password encryption within ASP files

g-kennett
Level 1
Level 1

‎11-21-2005 10:43 AM - edited ‎03-13-2019 11:18 AM

I have installed the SDK to provide various added features to an IPT installation, one of them being an LDAP Directory search service using multidirectory. We have got this working OK, but our concerns are that the username and passwords are displayed in clear text.

This may seem a simple question (as I'm new to this side of IPT), but how would I go about getting these credentials encrypted?

Labels:
0 Helpful
3 Replies 3

stephan.steiner
Spotlight
Spotlight

‎11-22-2005 12:29 AM

What do you mean by "displayed in cleartext". Keeping passwords in code files may not be good coding practice (hard to maintain when it comes to changes), but security wise, unless you give people access to your script directory, there shouldn't be a problem.. the webserver is supposed to execute the script or display an error, never display the contents of the file.

There's another angle: unless you're using sldap, the login and password is sent on the net in cleartext.. to solve that you need to start using sldap.

0 Helpful

g-kennett
Level 1
Level 1
In response to stephan.steiner

‎11-24-2005 07:03 AM

Hi and thanks for the reply. I don't think I worded this very well so I'll try again.

We are using the sample multidirectory ASP that comes with the IP Phone Services SDK. The username and password that we use to connect to the LDAP server is displayed within this file. There is also a comment within this file saying that it is not advisable to have passwords in clear text, but doesn't give any tips or references on how to go about it.

Hope this clears it up. Any help would be good. Thanks

0 Helpful

Darren Parkinson
Level 5
Level 5
In response to g-kennett

‎11-24-2005 11:36 AM

Hello all,

Well, I did some web stuff ages ago and I remember that you could use the global.asa file to put stuff like this in. I just tried it and it still works, but I'm not sure if there is a replacement for this now as ASP.NET seems to use global.asax files -- didn't look into the differences...

Basically, this is a special file which can't be read from a browser and it has two different scopes: application and session. It can be used to store session and application objects and variables. It was always used to store database connection strings which included passwords for the very same reason.

There are several events kicked off in that file throughout the lifecycle of an application, one of which I'll use here. The steps I followed (on a standard install) are:

1. Create global.asa file in C:\CiscoIPServices\ASP directory with the following contents:

2. In your code (i.e. C:\CiscoIPServices\ASP\test\test.asp"), use the variable like this:

<%@ Language=JavaScript %>

<%

Response.Write(Application("myldappassword"))

%>

That was it. When I ran that page (http://host/test/test.asp), I got the output "mybigsecret" without having the actual password in my ASP file.

Be careful, as you may already have one of these files, since I believe you can only have one per something or other...

There is an old link below which covers it a little bit more:

http://www.4guysfromrolla.com/webtech/113098-1.shtml

I hope this is what you were after.

Regards,

Darren.

0 Helpful
Customers Also Viewed These Support Documents