Security question

[Lucas Kruijswijk]

Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.

Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.

In this way, no need for session.

Is there a security problem with this kind of programming?

The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.

I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.

Or, does someone disagree?

Regards,

Lucas

 

[Dag Sunde]

Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.

Bad idea!

Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.

In this way, no need for session.

Is there a security problem with this kind of programming?
YES!


The only thing I could think of, is that in Firefox and firebug
someone could access the variable to get the password. But
that is a risk I take.

You don't need Firefox or Firebug. You can read your password in
any browser with one or two clicks with the mouse if you do it
this way.

I am more concerned that some evil website could steal the
password by some other Javascript. But I could not find
a way, so, I assume this is rather safe.

Your're wrong!

Or, does someone disagree?

Heartily, Yes!

 

[Benjamin]

Hello all,

I have a security question. Instead of heaving a session key,
I was thinking to hold the password of some application in
a Javascript variable.

Each time a http (or https) request is send from Javascript,
I also send the password. The server checks the password
and sends back the result.

The words password and JavaScript send a chill down my spine. Remember
anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.

 

[Lucas Kruijswijk]

The words password and JavaScript send a chill down my spine. Remember

anything you write in JavaScript can be view with a simple click on
view source. JavaScript is for manipulating DOM creating dynamic
pages. Security is something always best kept to a computer you know
(eg. the server) rather than the user's computer you know nothing
about.

The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.

So, I didn't see real arguments. You can only access it by a Javascript
console.

By the way, it is not for a banking system or something like that

Lucas

 

[Dag Sunde]

The password is only in a Javascript variable. It is not in the DOM
it is also not in the source.

So, I didn't see real arguments. You can only access it by a
Javascript console.

Type the following into the address field of your browser:
(Without the quotes)

"javascript:alert(yourPwdVar);"

where "yourPwdvar" is the variable you're holding the password in.

By the way, it is not for a banking system or something like that

Then drop the password...

 

[Lucas Kruijswijk]

Thanks, I am convinced. I will do something better.