> Now, to prevent someone having to type his password any time he wants to
change a password (which is doable for ordinary users, but not for admins
who do this routinely for other users), I want this secret stored in the
client, available to javascript, between pages.
Just use a different script for admins - if they are logged in as an admin
they can change any password in the database just by typing the new one in,
and possibly the admin's own old password to verify that it is an admin
logged in. Normal users can only change theirs if they can type their old
one in first and then their new one.
A cookie isn't an option, as that's sent over the line. I was thinking to
put the application a (hidden)frame, and the secret in a variable in
another, but I have the feeling there should be an easier way. Does anyone
have an idea?
A hidden frame will still be accessible by viewing the source so that is not
going to provide any sort of security over a cookie.
What I do with passwords is they log in (without ssl, but security isn't
hugely important), PHP then checks that password against the value in the
database, and if it matches then use sessions (either in a cookie or as a
query string on the url) which keeps the details of what access they have on
the server - a much safer place for it to be. Every other page then just
checks the session data to make sure it is a logged on user. For changing
passwords, just ask them for their old one just to verify it is the user
changing it and they haven't just left it logged in somewhere. For admins
though, PHP can deal with verifying that it is a admin that is logged in and
the admin can change any password.
But most importantly, using javascript for password validation / storage is
not at all secure, and theres no reason you would need to do it. Keep the
password server-side except when the user has to enter the password - but
never send a password back to the page. Also, once you recieve the password
in your PHP script, hash it and only ever use the hash values - the script
should never see the password again.
Its a bit of a rethink to what you're doing, but seems to be a better way to
do what you're doing.
David