admin管理员组文章数量:1313175
I need to access an api which requires http authentification on a per user basis using a jquery mobile api.
I plan to make the app available as a website as well as packaging it in Cordova for various devices.
If I have a login form which captures the username and password and store this as a javascript variable, is there any way this data could be exposed?
If so, what's the best alternative to handle storing the users authentification details? I am reticent to build an intermediary server if I don't have to.
Many Thanks. :D
I need to access an api which requires http authentification on a per user basis using a jquery mobile api.
I plan to make the app available as a website as well as packaging it in Cordova for various devices.
If I have a login form which captures the username and password and store this as a javascript variable, is there any way this data could be exposed?
If so, what's the best alternative to handle storing the users authentification details? I am reticent to build an intermediary server if I don't have to.
Many Thanks. :D
Share Improve this question asked Oct 12, 2012 at 19:39 significancesignificance 5,1059 gold badges40 silver badges57 bronze badges 3- Does it use HTTP basic auth, or is it a username/password passed as parameters into each API call? – SilverlightFox Commented Oct 15, 2012 at 14:26
- actually, both. http basic auth on each call the server - no auth tokens returned. – significance Commented Oct 15, 2012 at 18:05
- Once the user has authenticated with basic auth, won't this data automatically be sent by the browser to each requested resource? I know this is how it works for other browser requests, I'm not too sure with JavaScript though. – SilverlightFox Commented Oct 16, 2012 at 9:09
2 Answers
Reset to default 3I would suggest not storing the username or password in the localStorage, but instead to store an access token. Access tokens can be updated and changed frequently, it also doesn't reveal who the user is or what their hashed password is.
Besides iOS Keychain or if you're coding it for a non-iPhone device for added security you can:
- Change the access token at each login and each time the app is used
- Store the device ID in the server database (see http://docs.phonegap./en/2.2.0/cordova_device_device.md.html#device.uuid)
- Clear the localStorage and request a new login if the access token or device ID doesn't match the data stored in the database
Make sure you don't store the device ID in the localStorage.
For added security you can also store the user's IP address in the database and check (server side) if the IP address matches, but this might too much since the user would have to login every time they connect to the internet in a new location or if their IP address changes.
Storing the IP address in the server database then checking if it matches (server side) would probably be the safest since it wouldn't matter if someone got hold of the localStorage data.
So I understand you don't control the backend you log in to? If you do, I would be more inclined to send username/password once, and then store some access token that will allow you subsequent access.
If you don't control the backend, you're stuck with storing username/password. I would say, setting them in localStorage is as safe as it gets (which is, admittedly, not very safe. Then again, if your login doesn't happen on HTTPS, I would be more worried about passwords leaking there than from the device itself). You could make the passwords harder to find, not call the variables "username/password", encrypt them in javascript, obfuscate your code. But in the end, they can always be retrieved without too much effort with the right access to the device.
After packaging as native app, you have more options, e.g. iOS keychain: http://shazronatadobe.wordpress./2010/11/06/ios-keychain-plugin-for-phonegap/
本文标签: javascriptsecurely store user password locally in a jquery mobile appStack Overflow
版权声明:本文标题:javascript - securely store user password locally in a jquery mobile app - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741926284a2405307.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论