Security question

Discussion in 'Javascript' started by Lucas Kruijswijk, Feb 6, 2007.

  1. Hello all,

    I have a security question. Instead of heaving a session key,
    I was thinking to hold the password of some application in
    a Javascript variable.

    Each time a http (or https) request is send from Javascript,
    I also send the password. The server checks the password
    and sends back the result.

    In this way, no need for session.

    Is there a security problem with this kind of programming?

    The only thing I could think of, is that in Firefox and firebug
    someone could access the variable to get the password. But
    that is a risk I take.

    I am more concerned that some evil website could steal the
    password by some other Javascript. But I could not find
    a way, so, I assume this is rather safe.

    Or, does someone disagree?

    Regards,

    Lucas
    Lucas Kruijswijk, Feb 6, 2007
    #1
    1. Advertising

  2. Lucas Kruijswijk

    Dag Sunde Guest

    Lucas Kruijswijk wrote:
    > Hello all,
    >
    > I have a security question. Instead of heaving a session key,
    > I was thinking to hold the password of some application in
    > a Javascript variable.


    Bad idea!
    >
    > Each time a http (or https) request is send from Javascript,
    > I also send the password. The server checks the password
    > and sends back the result.
    >
    > In this way, no need for session.
    >
    > Is there a security problem with this kind of programming?


    YES!

    >
    > The only thing I could think of, is that in Firefox and firebug
    > someone could access the variable to get the password. But
    > that is a risk I take.


    You don't need Firefox or Firebug. You can read your password in
    any browser with one or two clicks with the mouse if you do it
    this way.

    >
    > I am more concerned that some evil website could steal the
    > password by some other Javascript. But I could not find
    > a way, so, I assume this is rather safe.


    Your're wrong!
    :)

    >
    > Or, does someone disagree?
    >


    Heartily, Yes!

    --
    Dag.
    Dag Sunde, Feb 6, 2007
    #2
    1. Advertising

  3. Lucas Kruijswijk

    Benjamin Guest

    On Feb 6, 4:37 pm, "Lucas Kruijswijk" <>
    wrote:
    > Hello all,
    >
    > I have a security question. Instead of heaving a session key,
    > I was thinking to hold the password of some application in
    > a Javascript variable.
    >
    > Each time a http (or https) request is send from Javascript,
    > I also send the password. The server checks the password
    > and sends back the result.

    The words password and JavaScript send a chill down my spine. Remember
    anything you write in JavaScript can be view with a simple click on
    view source. JavaScript is for manipulating DOM creating dynamic
    pages. Security is something always best kept to a computer you know
    (eg. the server) rather than the user's computer you know nothing
    about.
    >
    > In this way, no need for session.
    >
    > Is there a security problem with this kind of programming?
    >
    > The only thing I could think of, is that in Firefox and firebug
    > someone could access the variable to get the password. But
    > that is a risk I take.
    >
    > I am more concerned that some evil website could steal the
    > password by some other Javascript. But I could not find
    > a way, so, I assume this is rather safe.
    >
    > Or, does someone disagree?

    Please don't do this!
    >
    > Regards,
    >
    > Lucas
    Benjamin, Feb 7, 2007
    #3
  4. > The words password and JavaScript send a chill down my spine. Remember
    > anything you write in JavaScript can be view with a simple click on
    > view source. JavaScript is for manipulating DOM creating dynamic
    > pages. Security is something always best kept to a computer you know
    > (eg. the server) rather than the user's computer you know nothing
    > about.

    The password is only in a Javascript variable. It is not in the DOM
    it is also not in the source.

    So, I didn't see real arguments. You can only access it by a Javascript
    console.

    By the way, it is not for a banking system or something like that :)

    Lucas

    >>
    >> In this way, no need for session.
    >>
    >> Is there a security problem with this kind of programming?
    >>
    >> The only thing I could think of, is that in Firefox and firebug
    >> someone could access the variable to get the password. But
    >> that is a risk I take.
    >>
    >> I am more concerned that some evil website could steal the
    >> password by some other Javascript. But I could not find
    >> a way, so, I assume this is rather safe.
    >>
    >> Or, does someone disagree?

    > Please don't do this!
    >>
    >> Regards,
    >>
    >> Lucas

    >
    >
    Lucas Kruijswijk, Feb 7, 2007
    #4
  5. Lucas Kruijswijk

    Dag Sunde Guest

    <inline/>
    Lucas Kruijswijk wrote:
    >> The words password and JavaScript send a chill down my spine.
    >> Remember anything you write in JavaScript can be view with a simple
    >> click on view source. JavaScript is for manipulating DOM creating
    >> dynamic pages. Security is something always best kept to a computer
    >> you know (eg. the server) rather than the user's computer you know
    >> nothing about.

    > The password is only in a Javascript variable. It is not in the DOM
    > it is also not in the source.
    >
    > So, I didn't see real arguments. You can only access it by a
    > Javascript console.


    Type the following into the address field of your browser:
    (Without the quotes)

    "javascript:alert(yourPwdVar);"

    where "yourPwdvar" is the variable you're holding the password in.

    >
    > By the way, it is not for a banking system or something like that :)
    >


    Then drop the password...

    :)

    --
    Dag.
    Dag Sunde, Feb 7, 2007
    #5
  6. Thanks, I am convinced. I will do something better.

    "Dag Sunde" <> schreef in bericht
    news:45ca1c2d$0$24605$...
    > <inline/>
    > Lucas Kruijswijk wrote:
    >>> The words password and JavaScript send a chill down my spine.
    >>> Remember anything you write in JavaScript can be view with a simple
    >>> click on view source. JavaScript is for manipulating DOM creating
    >>> dynamic pages. Security is something always best kept to a computer
    >>> you know (eg. the server) rather than the user's computer you know
    >>> nothing about.

    >> The password is only in a Javascript variable. It is not in the DOM
    >> it is also not in the source.
    >>
    >> So, I didn't see real arguments. You can only access it by a
    >> Javascript console.

    >
    > Type the following into the address field of your browser:
    > (Without the quotes)
    >
    > "javascript:alert(yourPwdVar);"
    >
    > where "yourPwdvar" is the variable you're holding the password in.
    >
    >>
    >> By the way, it is not for a banking system or something like that :)
    >>

    >
    > Then drop the password...
    >
    > :)
    >
    > --
    > Dag.
    >
    >
    >
    Lucas Kruijswijk, Feb 7, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    339
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,403
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    320
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    130
    Dinis Cruz
    Oct 11, 2003
  5. Michael Randrup
    Replies:
    3
    Views:
    291
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page