I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.
Here are my questions;
Should I encrypt username and password in my database?
The client sends the username and password in the request body, Should the client send them in the header? And should they be encrypted?
Best Regards.
Keep your friends close and your enemies even closer
I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.
I recommend that you set aside time to learn standard practices which you can learn by going through many of the tutorials in this site. Also learn JWT.
Member
527 Points
2729 Posts
JWT password validation question
Mar 03, 2019 06:09 PM|cenk1536|LINK
Hello guys,
I have an asp.net web API. I implemented a token authentication that I am trying to validate user name and password from the database. I am new to JWT so I need your advice.
Here are my questions;
Best Regards.
All-Star
53121 Points
23672 Posts
Re: JWT password validation question
Mar 03, 2019 10:13 PM|mgebhard|LINK
I recommend that you set aside time to learn standard practices which you can learn by going through many of the tutorials in this site. Also learn JWT.
https://jwt.io/
No. Passwords are hashed and username are stored in plain text.
Commonly username and password are submitted in the HTTP message body.
Yes, always use TLS (HTTPS).
Member
527 Points
2729 Posts
Re: JWT password validation question
Mar 04, 2019 06:57 PM|cenk1536|LINK
Is there any asp.net web api 2 tutorial about storing hash+salt on DB and comparing user password by hashing with salt?
All-Star
53121 Points
23672 Posts
Re: JWT password validation question
Mar 04, 2019 07:22 PM|mgebhard|LINK
Yes, there are many examples that you can find by doing a basic internet search.
https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/consumer-apis/password-hashing?view=aspnetcore-2.2
I recommend using the APIs that come with ASP.NET like Identity rather than rolling your own.