tags:

views:

36

answers:

3
Q: 

Store users hashed PW in localstorage?

I'm writing a web app for 100 users where I work. It is accessible on the internet, not just our intranet. Many users are unskilled users, though most use Chrome as that's the browser that's default on their laptops.

To auth with the web app this is a potential plan:

  1. User enters password
  2. Password is sent to server
  3. Password is hashed and compared with the stored hash
  4. If password is right, the browser stores the password in local storage
  5. If the users session cookie has expired, javascript posts the stored password on first view so the user doesn't have to reauthenticate

Is this a good idea?

+2  A: 

Why bother authenticating at all if you are going to store passwords for users?

How are you going to ensure that another person using their computer cannot access your site?

Passwords are about someone sharing a secret with you, by which they tell you they are who they claim they are (authentication) - doing away with the need to re-authenticate every now and then makes the authentication scheme quite useless.

Oded  2010-07-04 07:44:44
Pretty much, if you aren't going to have them check that the user knows the password, you might as well just have them using one account across the board
tsgrasser  2010-07-04 07:51:14
+1  A: 

I dont think that you should store the user's password on the client side for what you are trying to achieve . It can be done through cookies .
So suppose the user has authenticated , then maybe you could make a cookie that would reside on their machine for a couple of weeks and that would serve as their gate pass .
Storing passwords ( that too non encrypted ) is not recommended .

jmhowwala  2010-07-04 07:47:18
+2  A: 

This doesn't quite make sense. It sounds like the server doesn't support "Remember me" and you're trying to add it using the client. Why not just support it on the server? There are plenty of existing tutorials and questions on setting it up (try this search), but it basically means having a special login cookie with a randomly generated value (kept track of by the server) and a long (maybe a couple weeks, not forever) expiry. Storing the password, even hashed, opens the user up to indefinite (until the password is changed) replay attacks if someone gains access to the database.

Matthew Flaschen  2010-07-04 07:47:45
That's a much better idea, hadn't considered using that technique.
Rich Bradshaw  2010-07-04 07:58:34

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript