I have a Silverlight Business Application. I want to store the username and password that the user enters when logging into the system.
Does anyone have any pointers, tips etc on how I 开发者_C百科can securely store this data? I would like to store it encrypted but I'm not sure where I would store the password/salt, would it be secure to store this in the client code? I'm guessing it won't be because this is sent to the client.
I would normally use the Windows Data Protection API (DPAPI) to machine encrypt the data, is this possible in silverlight?
The app will be run in-browser using Silverlight 4.
Update
I validate the user on the server side. Currently I store the username and password encrypted on the server side. The reason I need them in the client side is when using the Perpetuum Report Viewer, in the case that the report contains sub-reports or has a drill-through then the user is prompted from their credentials. I don't want the user to need to enter their credentials again, the only way round this is to provide them on the client side.
Storing that information is never safe on the client side. Silverlight can always be reversed enginered, you can make it hard to get it for users / hackers but it is never 100% safe.
Here is nice article about using AES algorithm to encrypt/decrypt data in Silverlight: http://www.davidezordan.net/blog/?p=202
Why you don't store sensible stuff on server side?
Silverlight assemblies can be reversed engineered or/and modified.
Let the user enter his password and send it encrypted to the Server Side. On Server Side you then check the password if it's correct.
There is no need to store password's in the silverlight control.
An alternative to storage might be to use LocalMessageSender
and LocalMessageReceiver
(some form of encryption might be prudent) to pass credentials between Silverlight application instances running from the same domain.
精彩评论