Home / Blog /

How To Secure Login Credentials for Ajax

Mark Holtzhausen's picture
Submitted by Mark Holtzhausen on Tue, 07/28/2009 - 14:47

Cross-Posted From : CodeOnFire.cThru.biz

Many JavaScript and other clients that make use of REST or other web services have to use authentication credentials to allow the end user access to those services.

There are several ways to get the credentials to the server. One popular method is using HTTP1.1 Auth, either digest or basic. The problem with this method is that it doesn’t hide your credentials from the world. Anybody listening in on your web traffic is essentially able to get your credentials from the headers.

Another method, probably more readily used by the majority, is to include login credentials in the POST or GET calls being made to web services. And that is just as exposed.

http://mywebserver.com/mywebservice/?user=admin&pass=1234
does not make for very high transport security.

SSL is really the only way to be sure that your credentials remain hidden from the rest of the world.

Server Generated Tokens for Obscuring Login Credentials

I have taken up a different tactic. It runs the following course:

  1. The client requests a random token from the server to use during it’s session.
  2. Once it receives the token the client concatenates the token to the end of the password, and then does an MD5 hash on the whole thing.
  3. When credentials are needed by the server, the client then passes user=’username’&passhash=[md5(password+token)]
  4. The server compares this with the same process on it’s end. If the two hashes match, then the passwords used in those hashes has to be the same as well.

The beauty of this method is that although it is a 100% reliable method for correctly identifying the correct credentials, it is also impossible to reverse the process and get the password back.

Taking things one step Further

The initial step for me was to use [md5(password+token)]. I have now updated it use a variety of information I would like to hide:
[md5(username+password+my_ip+token)] which has some built in cross-site scripting obfuscation built in.

A devious and very zealous hacker can still hijack your session with some effort. And you can make sure it is not worth his/her while by regularly changing the token for the current session.

KnowledgeTree JavaScript API

As a developer on KnowledgeTree I am currently working on set of JavaScript libraries that will expose server functionality via an API. A core component of KnowledgeTree is it’s strict security. The method mentioned above (or a variant of it) is in the process of being implemented for KnowledgeTree jAPI.

Onwards and Upwards!

Follow me on Twitter: @MarkH_KT

Trackback URL for this post:

http://www.knowledgetree.com/trackback/177

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

About  |  Blog  |  Careers  |  Support  |  Privacy  |  LegalCall: 1 877.900.0350

© Copyright 2010, KnowledgeTree, Inc. All rights reserved. KnowledgeTree and the KnowledgeTree logo are trademarks of KnowledgeTree, Inc.
All other trademarks are property of their respective owners.