Login encryption

Question

Question

Botai Zhang · Nov 17, 2020

#HealthShare

When logging in to the management portal page, how to send the encrypted user name and password when sending a request

Discussion (8)1

Log in or sign up to continue

Lorenzo Scalese · Nov 17, 2020

Hi @Botai Zhang

Take a look to this post : https://community.intersystems.com/post/running-management-portal-privat...

0 0

Dmitry Maslennikov · Nov 23, 2020

You have to use HTTPS, for such tasks, encryption passwords on the client-side not secure in any way. The only way to make it secure is by using SSL. Base64 is far from Security, anybody with such a string can get a real password. With SSL, it will be impossible to decrypt any traffic between client and server. So, even way, to catch anything about a password.

3 0

score 1 · Answer 1 · 2020-11-17T05:03:48-05:00

Lorenzo Scalese · Nov 17, 2020

Hello,

I would say by using https protocol.

1 0

score 0 · Answer 2 · 2020-11-17T05:09:08-05:00

Thank you.Lorenzo Scalese . How is HTTPS implemented in healthshare? Is this the only way?

Change% csp.login Is class implementation feasible?

score 0 · Answer 3 · 2020-11-17T09:29:57-05:00

Just as a quick caveat, I want to reiterate Nicholai's note on that post that the private web server should not be used for a production system; the private web server is primarily intended for out-of-the-box management portal access. If you need a full featured and https-secured web server to run your application, you should install a full web server.

score 0 · Answer 4 · 2020-11-17T23:58:16-05:00

Use SSL on an external web server such as Apache or IIS. Then disable the internal web server or at least restrict traffic to it. Note that many of the web services in HealthShare (if set up before deploying SSL) will be configured to use the internal (57772) web server. Those URLs in the Service Registry will need to be updated.

score 1 · Answer 5 · 2020-11-18T02:44:09-05:00

Yes, I agree with @Vic Sun.

The built-in web server shouldn't be used in production.

If you're a docker user, perhaps [this](https://github.com/lscalese/isc-webgateway-letsencrypt) can help you.

So, using encryption with let's encrypt needs a fully qualified domain name, but Docker file file and setupWebGateway.sh
could help you.

score 1 · Answer 6 · 2020-11-18T21:54:42-05:00

If I don't use Https and want to implement simple password transmission encryption and decryption (for example: Base64), as shown in the figure, CSP has completed the encryption operation. Would you like to ask where the decryption operation needs to be handled?