469,641 Members | 1,106 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,641 developers. It's quick & easy.

Security question

Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.

Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.

In this way, no need for session.

Is there a security problem with this kind of programming?

The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.

I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.

Or, does someone disagree?

Regards,

Lucas
Feb 6 '07 #1
5 1170
Lucas Kruijswijk wrote:
Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.
Bad idea!
>
Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.

In this way, no need for session.

Is there a security problem with this kind of programming?
YES!
>
The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.
You don't need Firefox or Firebug. You can read your password in
any browser with one or two clicks with the mouse if you do it
this way.
>
I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.
Your're wrong!
:-)
>
Or, does someone disagree?
Heartily, Yes!

--
Dag.
Feb 6 '07 #2
On Feb 6, 4:37 pm, "Lucas Kruijswijk" <L.B.Kruijsw...@inter.nl.net>
wrote:
Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.

Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.
The words password and JavaScript send a chill down my spine. Remember
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
>
In this way, no need for session.

Is there a security problem with this kind of programming?

The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.

I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.

Or, does someone disagree?
Please don't do this!
>
Regards,

Lucas

Feb 7 '07 #3
The words password and JavaScript send a chill down my spine. Remember
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.
The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.

So, I didn't see real arguments. You can only access it by a Javascript
console.

By the way, it is not for a banking system or something like that :-)

Lucas
>>
In this way, no need for session.

Is there a security problem with this kind of programming?

The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.

I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.

Or, does someone disagree?
Please don't do this!
>>
Regards,

Lucas


Feb 7 '07 #4
<inline/>
Lucas Kruijswijk wrote:
>The words password and JavaScript send a chill down my spine.
Remember anything you write in JavaScript can be view with a simple
click on view source. JavaScript is for manipulating DOM creating
dynamic pages. Security is something always best kept to a computer
you know (eg. the server) rather than the user's computer you know
nothing about.
The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.

So, I didn't see real arguments. You can only access it by a
Javascript console.
Type the following into the address field of your browser:
(Without the quotes)

"javascript:alert(yourPwdVar);"

where "yourPwdvar" is the variable you're holding the password in.
>
By the way, it is not for a banking system or something like that :-)
Then drop the password...

:-)

--
Dag.

Feb 7 '07 #5
Thanks, I am convinced. I will do something better.

"Dag Sunde" <me@dagsunde.comschreef in bericht
news:45***********************@news.wineasy.se...
<inline/>
Lucas Kruijswijk wrote:
>>The words password and JavaScript send a chill down my spine.
Remember anything you write in JavaScript can be view with a simple
click on view source. JavaScript is for manipulating DOM creating
dynamic pages. Security is something always best kept to a computer
you know (eg. the server) rather than the user's computer you know
nothing about.
The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.

So, I didn't see real arguments. You can only access it by a
Javascript console.

Type the following into the address field of your browser:
(Without the quotes)

"javascript:alert(yourPwdVar);"

where "yourPwdvar" is the variable you're holding the password in.
>>
By the way, it is not for a banking system or something like that :-)

Then drop the password...

:-)

--
Dag.

Feb 7 '07 #6

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

116 posts views Thread by Mike MacSween | last post: by
32 posts views Thread by Mike MacSween | last post: by
5 posts views Thread by Greg Strong | last post: by
1 post views Thread by Jeremy S. | last post: by
15 posts views Thread by himilecyclist | last post: by
18 posts views Thread by Earl Anderson | last post: by
1 post views Thread by =?Utf-8?B?aGVyYmVydA==?= | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.