javascript - How to secure the password while it being sent using AJAX? - Stack Overflow

admin管理员组

文章数量:1394046

I'm trying to keep user's password secured, but I noticed that the header information send while submitting the form is visible to everyone. Is it secure or is there a way to keep it secure? I know how to add md5 to the password in JS, but MD5 isn't secure anymore and I can't add a salt with JS because everyone can find out what the salt is. So what are you suggesting to do? I think that soon I'll have a SSL to my website (https://), but I not sure, so I need another way to keep the munication safe. And even if I'll have an a SSL, so it is from the business plan of HostGator, and if I'm not mistaken, the SSL doesn't work on mobile. (The form sent via post using AJAX).

I'm trying to keep user's password secured, but I noticed that the header information send while submitting the form is visible to everyone. Is it secure or is there a way to keep it secure? I know how to add md5 to the password in JS, but MD5 isn't secure anymore and I can't add a salt with JS because everyone can find out what the salt is. So what are you suggesting to do? I think that soon I'll have a SSL to my website (https://), but I not sure, so I need another way to keep the munication safe. And even if I'll have an a SSL, so it is from the business plan of HostGator, and if I'm not mistaken, the SSL doesn't work on mobile. (The form sent via post using AJAX).

• javascript
• php
• jquery
• ajax
• security

Share Improve this question Follow asked Dec 30, 2013 at 19:47 user3141603user3141603 9

• Even if you encrypt it on client side, it's still JS. Anybody can see what you're doing. – Bibhas Debnath Commented Dec 30, 2013 at 19:50
• 6 What makes you think SSL doesn't work on mobile? No matter whether it's sent though GET, POST, AJAX, or any bination of them, it's readable unless sent over SSL. – zero298 Commented Dec 30, 2013 at 19:51
• @Bibhas exactly! That what I'm asking! How to secure the sending itself, not when it is already in the server? I guess that a strong hashing, even if the hacker know how did it hashed, it will keep the password safe while they "on the way" to the server, but I don't know a very strong hashing in JS (or JQ) – user3141603 Commented Dec 30, 2013 at 19:54
• 1 @VladGincher, this is what transport layer security (SSL or TLS) is for. – Chris Commented Dec 30, 2013 at 19:56
• 3 @VladGincher: Without SSL, you cannot be secure, period. The attacker can modify your hashing code to send him the password first. You need to use a decent host that supports full SSL. – SLaks Commented Dec 30, 2013 at 20:00

 |  Show 4 more ments

4 Answers 4

Sorted by: Reset to default 7

AJAX is irrelevant.

The only way to secure your login page is to use SSL or TLS, which work fine on modern mobile browsers.

I also think HTTPS is already available in most mobile browsers. But if you're sure it isn't in your situation, you could consider a public key cryptography js library. pidCrypt springs to mind. But only if it's really necessary, it's rather overkill in most cases I think.

You can download from here http://pajhome.uk/crypt/md5/sha512.html the sha512.js and then declare a function like this:

function formhash(form, password)
{
    $(form).append('<input name="p" type="hidden" >');
    var p = $('input[name="p"]');
    p.val(hex_sha512(password.val()));
    password.val('');

    return p.val();
}

so afterwards you can send data to your server with ajax like:

var dataObj = {
    'username': $('input[name="username"]').val(),
    'password': formhash($('.form-signin'), $('input[name="password"]'))
}; 

and your password will be sent already encrypted. Of course you should use https to your login form page too.

Mobile applications, and browsers, support SSL - that is not your issue here. If your host does not support SSL, then you need to switch off of it.

Client side crypto will provide you with no additional security. It might provide you user with additional security.

All of the attacks that could be used to get the password from the client could also be used to get the hashed or encrypted password from the client - your system would except that value, not knowing that it was not the user's browser that generated it. So client side crypto is not going to provide your site with any additional security.

The perspective is different if you are trying to protect your user. By using client-side crypto, you could make the argument that you never know the user's password, protecting the user in the event of a breach of your systems. Your system would still be promised, but all of the other systems that use that password would not be.

For an authentication mechanism, you need Transport Layer Security, there is pretty much no way around it.

本文标签： javascriptHow to secure the password while it being sent using AJAXStack Overflow