views:

192

answers:

8

Is there some way I can authenticate a user in the client-side (browser) in a web application?

A: 

Not very securely, no. You can use AJAX to authenticate without changing pages and you can use cookies to automatically trigger the process (in combination with server side code).

Ross
A: 

If your data that is used to authenticate them is on the server, ie. in a database, then no. The authentication would require a round-trip.

You could issue them an encrypted cookie with some sort of validation data in it. Then upon the first request, check the contents of the cookie,

Basically, your logic to authenticate would have to be on the server, so a roundtrip would always be required.

Sean Chambers
A: 

You can never trust what's on the other end of the wire.

sparkes
+1  A: 

You could to some extent, but it's not actually validation. For example, you could send some Javascript that asked for an email and password combination and checked it against some predetermined value.

The problem is that what you would do after the check. The Javascript call would probably send some sort of response "OK! This is really [email protected]" back to your server. An attacker could just stop the script and send that response manually without doing any checks.

You could prevent this by doing some sort of hashing / signature on the response, but then your server would have to validate the signature. It's easier to just validate the email/password combination.

James A. Rosen
A: 

Sure with a simple username/password login you can use XMLHttpRequests (AJAX) to communicate between the browser and the server without reloading a page. This would have issues with Cross Site Scripting (XSS) if you're trying to communicate using https and the current page is http. So you would need to already be on https.

An alternative would be to use Flash or Silverlight with a login form that sends information between the browser and server without reloading.

If you mean without a connection to a server?

This sound dangerous to me. Unless at one point the did authenticate with your server, then you could set a cookie that gives that user privileges. But again, this sounds dangerous if they aren't communicating with your server.

Joseph Pecoraro
A: 

I don't understand why the question has negative votes, given than the answers are very informative. The question is good and to someone who is looking for this, it would be very informative to find out why this is not a good idea.

Martín Marconcini
A: 

The Clipperz "zero-knowledge" password manager does something a bit like this. My understanding is that they just hand the browser a big chunk of data, and the browser decodes it with knowledge that only the end user has. The extremely paranoid are expected to read the JavaScript for themselves before they decide to give it any credentials.

Pretty cool idea, though it's worth noting that not everyone's convinced.

undees
+2  A: 

You can do it, but you probably shouldn't.

Anything that runs on the browser is completely visible to the user, and so it's vulnerable to an attack when the user has some programming language. The user can see your validation algorithm, and can learn how to simulate a successfull validation and tell your server that he's someone he isn't! :)

And don't try to use code obfuscation!, it never really works

Ricardo Reyes