Hi there,
I'm preparing an application for a 1st production release and wanted to check I haven't made any obvious errors that makes it inherently insecure.
For this application I'm using a custom authentication scheme, where users and their password hashes are stored in the database. I've exposed functionality using a PL/SQL package, that is the routines for generating the password hash, authenticating user etc.. This all seems to be working as designed.
The routine for getting the users password hash takes the username and password as parameters, I've noticed as part of development/debugging that when the has routine is called I can see the password passed in as clear text in log messages. This maybe ok as I'll be removing this logging but how is the password transmitted between the GUI (Login Page) and the database as part of package call? Is it clear text or is it automatically encrypted/hashed as a result of the Password item being used on the login page.
If the password is transmitted as clear text, any suggestions on how to secure it? Should I be hashing on the client side instead?
Daljit
My environment details:
- APEX 5.0.4.00.12
- Oracle 11g (11.2.0.1), CentOS 5
- EPG
- Internet Explorer 11 (Windows 7)
- Universal Theme