C# & WPF - Using SecureString for a client-side HTTP API password

半城伤御伤魂 提交于 2021-01-27 20:05:42

问题


When writing a WPF application, the PasswordBox stores the entered password as a SecureString. This totally makes sense. However, I want to send the password via a HTTP API, and the HttpClient PostAsync seems to accept strings for form-encoded data.

I am aware that other people have asked related questions, most notably Is SecureString ever practical in a C# application?, but I have not found a satisfactory method to send this SecureString to the Http endpoint, without first converting it to a String. The conversion totally defeats the object of SecureString in the first place (because it puts the plaintext right back into the managed memory).

Is there a canonically correct (and preferably straightforward) way to do this?

For complete disclosure - I have no control over the HTTP API.


回答1:


I think that, although not perfect, the best solution for you is to use the DecryptSecureString method, posted by rdev5 on this answer (after all, the password is being transfered in plaintext over the network anyway)

rdev5's method decrypts the SecureString into a string, do what you tell it to do with the password and then wipe it from memory. This reduces the window where the password is in the memory, and thus the time that it could be peeked from there.

Strings.DecryptSecureString(secureString, (password) =>
{
    // Do your API call here
});

P.S.: As pointed out in the original post, just be sure not to save the content of password elsewhere.



来源:https://stackoverflow.com/questions/46834298/c-sharp-wpf-using-securestring-for-a-client-side-http-api-password

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!