By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
445,857 Members | 1,760 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 445,857 IT Pros & Developers. It's quick & easy.

Security question

P: n/a
Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.

Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.

In this way, no need for session.

Is there a security problem with this kind of programming?

The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.

I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.

Or, does someone disagree?

Regards,

Lucas
Feb 6 '07 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Lucas Kruijswijk wrote:
Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.
Bad idea!
>
Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.

In this way, no need for session.

Is there a security problem with this kind of programming?
YES!
>
The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.
You don't need Firefox or Firebug. You can read your password in
any browser with one or two clicks with the mouse if you do it
this way.
>
I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.
Your're wrong!
:-)
>
Or, does someone disagree?
Heartily, Yes!

--
Dag.
Feb 6 '07 #2

P: n/a
On Feb 6, 4:37 pm, "Lucas Kruijswijk" <L.B.Kruijsw...@inter.nl.net>
wrote:
Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.

Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.
The words password and JavaScript send a chill down my spine. Remember
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
>
In this way, no need for session.

Is there a security problem with this kind of programming?

The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.

I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.

Or, does someone disagree?
Please don't do this!
>
Regards,

Lucas

Feb 7 '07 #3

P: n/a
The words password and JavaScript send a chill down my spine. Remember
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.

So, I didn't see real arguments. You can only access it by a Javascript
console.

By the way, it is not for a banking system or something like that :-)

Lucas
>>
In this way, no need for session.

Is there a security problem with this kind of programming?

The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.

I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.

Or, does someone disagree?
Please don't do this!
>>
Regards,

Lucas


Feb 7 '07 #4

P: n/a
<inline/>
Lucas Kruijswijk wrote:
>The words password and JavaScript send a chill down my spine.
Remember anything you write in JavaScript can be view with a simple
click on view source. JavaScript is for manipulating DOM creating
dynamic pages. Security is something always best kept to a computer
you know (eg. the server) rather than the user's computer you know
nothing about.
The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.

So, I didn't see real arguments. You can only access it by a
Javascript console.
Type the following into the address field of your browser:
(Without the quotes)

"javascript:alert(yourPwdVar);"

where "yourPwdvar" is the variable you're holding the password in.
>
By the way, it is not for a banking system or something like that :-)
Then drop the password...

:-)

--
Dag.

Feb 7 '07 #5

P: n/a
Thanks, I am convinced. I will do something better.

"Dag Sunde" <me@dagsunde.comschreef in bericht
news:45***********************@news.wineasy.se...
<inline/>
Lucas Kruijswijk wrote:
>>The words password and JavaScript send a chill down my spine.
Remember anything you write in JavaScript can be view with a simple
click on view source. JavaScript is for manipulating DOM creating
dynamic pages. Security is something always best kept to a computer
you know (eg. the server) rather than the user's computer you know
nothing about.
The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.

So, I didn't see real arguments. You can only access it by a
Javascript console.

Type the following into the address field of your browser:
(Without the quotes)

"javascript:alert(yourPwdVar);"

where "yourPwdvar" is the variable you're holding the password in.
>>
By the way, it is not for a banking system or something like that :-)

Then drop the password...

:-)

--
Dag.

Feb 7 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.