We are using the code below to pass an user password to a MVC web service encoding its value. The problem that when we run a HP fortify web scan on the application we are getting "password management heap inspection fortify" issues with passing the password to the web service. The finding has to do with not clearing out the password. Can anyone provide any advise?
string username = collection["username"].ToString();
string password = collection["password"].ToString();
/////LOGIN USER
string passurl = System.Web.HttpUtility.UrlEncode(Password);
response = client.GetAsync("Registration?username=" + Username + "&password=" + passurl + "&edi=" + "" + "&isEdi=" + false).Result;
responseBodyAsText = response.Content.ReadAsStringAsync().Result;
statuses = JObject.Parse(responseBodyAsText);
DataContractJsonSerializer serializer = new DataContractJsonSerializer(typeof(UserCred));
using (var ms = new MemoryStream(Encoding.Unicode.GetBytes(statuses.ToString())))
{
usercred = (UserCred)serializer.ReadObject(ms);
}
Session["userData"] = usercred;
Session.Add("Authenticated", "True");
return RedirectToAction("Index", "Home", usercred);