Hello all,
I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.
Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.
In this way, no need for session.
Is there a security problem with this kind of programming?
The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.
I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.
Or, does someone disagree?
Regards,
Lucas
5  1263 
Lucas Kruijswijk wrote:
Hello all,
I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.
Bad idea!
>
Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.
In this way, no need for session.
Is there a security problem with this kind of programming?
YES!
>
The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.
You don't need Firefox or Firebug. You can read your password in
any browser with one or two clicks with the mouse if you do it
this way.
>
I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.
Your're wrong!
:-)
>
Or, does someone disagree?
Heartily, Yes!
--
Dag.
On Feb 6, 4:37 pm, "Lucas Kruijswijk" <L.B.Kruijsw...@inter.nl.net>
wrote:
Hello all,
I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.
Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.
The words password and JavaScript send a chill down my spine. Remember
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
>
In this way, no need for session.
Is there a security problem with this kind of programming?
The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.
I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.
Or, does someone disagree?
Please don't do this!
>
Regards,
Lucas
The words password and JavaScript send a chill down my spine. Remember
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.
So, I didn't see real arguments. You can only access it by a Javascript
console.
By the way, it is not for a banking system or something like that :-)
Lucas
>>
In this way, no need for session.
Is there a security problem with this kind of programming?
The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.
I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.
Or, does someone disagree?
Please don't do this!
>>
Regards,
Lucas
<inline/>
Lucas Kruijswijk wrote:
>The words password and JavaScript send a chill down my spine.
Remember anything you write in JavaScript can be view with a simple
click on view source. JavaScript is for manipulating DOM creating
dynamic pages. Security is something always best kept to a computer
you know (eg. the server) rather than the user's computer you know
nothing about.
The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.
So, I didn't see real arguments. You can only access it by a
Javascript console.
Type the following into the address field of your browser:
(Without the quotes)
"javascript :alert(yourPwdVar);"
where "yourPwdvar" is the variable you're holding the password in.
>
By the way, it is not for a banking system or something like that :-)
Then drop the password...
:-)
--
Dag.
Thanks, I am convinced. I will do something better.
"Dag Sunde" <me@dagsunde.comschreef in bericht
news:45***********************@news.wineasy.se...
<inline/>
Lucas Kruijswijk wrote:
>>The words password and JavaScript send a chill down my spine.
Remember anything you write in JavaScript can be view with a simple
click on view source. JavaScript is for manipulating DOM creating
dynamic pages. Security is something always best kept to a computer
you know (eg. the server) rather than the user's computer you know
nothing about.
The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.
So, I didn't see real arguments. You can only access it by a
Javascript console.
Type the following into the address field of your browser:
(Without the quotes)
"javascript:alert(yourPwdVar);"
where "yourPwdvar" is the variable you're holding the password in.
>>
By the way, it is not for a banking system or something like that :-)
Then drop the password...
:-)
--
Dag.
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Mike MacSween |
last post by:
S**t for brains strikes again!
Why did I do that? When I met the clients and at some point they vaguely
asked whether eventually would it be possible to have some people who could
read the data...
|
by: Mike MacSween |
last post by:
Further to 'Security - more complex than I thought'
Has anybody ever seen any studies? Or anecdotal evidence? Done any studies
themselves? Done any lab testing - you know - 10 users asked to get...
|
by: Greg Strong |
last post by:
Hello All,
What are the best ways to implement security for Access databases (i.e.
..MDB files)?
I ask the question from a general perspective. Why? Well I had written
a prototype database...
|
by: Jeremy S. |
last post by:
..NET's code Access Security enables administrators to restrict the types of
things that a .NET application can do on a local computer. For example, a
..NET Windows Forms application can be...
|
by: himilecyclist |
last post by:
My State government organization has written a PHP/MySQL application
which has been in production for about 6 months and has been highly
successful.
We are now embarking on a similar database...
|
by: jobs |
last post by:
Using the delivered login controls, I see there is something for
passwordrecovery. But I can't seem to find how to set properties so it
does not ask me for my security question.
Is there any way...
|
by: Earl Anderson |
last post by:
First, I feel somewhat embarrassed and apologetic that this post is lengthy,
but in an effort to furnish sufficient information (as opposed to too little
information) to you, I wanted to supply all...
|
by: vincent90152900 |
last post by:
How to remove Security Question and Security Answer from membership provider?
Following is my codes. Please tell me how to remove Question and Answer from membership provider. Thank you for...
|
by: =?Utf-8?B?aGVyYmVydA==?= |
last post by:
Question 1: How do I turn off WCF security to get my apps out the door quickly?
Question 2: Where can I find a step by step article/flowchart how to
configure WCF security (the WCF books miss this...
|
by: Ken Fine |
last post by:
I want to add the security question and answer security feature to the
ChangePassword control. I am aware that this functionality is built into the
PasswordRecovery tool. I have implemented the...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
