1. Home
  2. Development
  3. RE: How to hidden logged User ScreenName and Password from Headers?

RE: How to hidden logged User ScreenName and Password from Headers?

Chanakya P, modified 2 Years ago.
How to hidden logged User ScreenName and Password from Headers?
Junior Member Posts: 72 Join Date: 2/17/14 Recent Posts
Hi Team,
I was unable disable logged user credentials from Headers.

Actual  Result:
Logged User details are visible in Headers.
Expected Result:Logged User details should not be shown in Headers.Please find attached screenshot. 
Please provide solution.

Used: 
    liferay-dxp-digital-enterprise-7.0-sp6

Attachments:

thumbnail
Olaf Kock, modified 6 Years ago.
RE: How to hidden logged User ScreenName and Password from Headers?
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
Chanakya P:

Hi Team,
I was unable disable logged user credentials from Headers.

Actual  Result:
Logged User details are visible in Headers.
Expected Result:Logged User details should not be shown in Headers.Please find attached screenshot. 
Please provide solution.
If I understood correctly, you've logged in. During the log in process, the username and password need to be transmitted to the server - that's what https is there for, to protect that data in transit.
Some people like hashing passwords on client side and only transmit the hash - however, this effectively makes the hash your new credential, so it looks like gibberish, but you haven't won anything.
The only way that would truly eliminate credentials from this request would be to configure a SSO solution, where you sign in to the SSO server, and it cryptographically approves an identity to Liferay. However, even there: You'd identify yourself to the SSO server somehow. Most likely with username and password, but there might be other solutions that could be appropriate for your usecase. Not every browser has access to a smart card reader, for example.
Chanakya P, modified 2 Years ago.
RE: How to hidden logged User ScreenName and Password from Headers?
Junior Member Posts: 72 Join Date: 2/17/14 Recent Posts
Hi Olaf Kock,
Thanks for your reply.
As per your suggestion, right now we are unable to use SSO.
Site is Configured LDAP server and https.

Is there any way to hide credentials from headers? 
 
thumbnail
Olaf Kock, modified 6 Years ago.
RE: How to hidden logged User ScreenName and Password from Headers?
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
Chanakya P:

As per your suggestion, right now we are unable to use SSO.
Site is Configured LDAP server and https.
Is there any way to hide credentials from headers? 
 
As I outlined above, and as was discussed in the other thread that you commented on: You'll need some proof that a user is who they claim to be. Commonly that's done by transmitting username and password, protected by https. It's common with almost every other  system on the web.
Anything that you enter into an input field in an HTML form will be transmitted to the server, and be readable there. That's the whole point.
And if you're unable to use SSO: No, there's no other way.
If you were able to use SSO: You'd transmit username and password to the SSO server instead of Liferay. That technically solves your problem that this data is transferred to Liferay, but doesn't solve the problem that the data is transferred at all.
What's the reason behind this question? I have the feeling that you've decided to ask for a particular solution to an unnamed underlying problem.
thumbnail
Christoph Rabel, modified 6 Years ago.
RE: How to hidden logged User ScreenName and Password from Headers?
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
For the record:
The credentials (username and password) are sent as form data in a post request. They are not sent in headers! Chrome just shows the form data in the headers tab, for whatever reason.
HTTP headers are something different. So, if you do research, search for form data and don't search for headers.
Sending credentials in form data is normal standard. Everybody does it. Assuming https: There is nothing wrong with the request shown above in the screenshot. It is perfectly fine.