Is it possible to make "password" validation without refreshing a window?

Question

Hello again,

I've made a simple web application where a lot of things is done without refreshing a window. Now I faced a problem which I haven't realized before. If I won't find a solution, I'll have to redesign the whole app which will take a lot of time and probably kill some coolness of using it. Ouch. Ok, back to the problem.

To reveal - let's say - the "secret" part of the site, the user has to input a kind of... password and click "Confirm". But I don't have an idea how to store the password to prevent the user from reading it, for example in the source of the site.

At present, I use mysql database - I connect with it, read the password in PHP and store it in global javascript variable. But it's of course readable after entering the source.

Is it possible to do such a thing? Is it possible to secretly check the password without having to refresh the site and checking it with PHP?

Answer 1

You can encode the password with MD5 or SHA1, giving you a string of 32 or 40 random characters. This string is very hard (not impossible) to reverse to the original password.

MD5 and SHA1 have the property that a given value will always result in the same hash value. E.g. if you hash "stackoverflow" to 123ABC and you do it again on another machine, that machine will also produce 123ABC.

So, simply encode the password the user enters with the same algorithm and you can compare the two hashes. If they match, the password was correct.

Answer 2

I commend you for asking before implementing. Too few people seem to do that these days.

First off, believe it or not, you don't want to actually store the password anywhere. You want to use something called a salted hash instead. Using this technique, you end up with a random-ish looking code which is based on the password, and can be used to verify that the user has the password they say they have.

Second, you're going to want to use an Ajax request to perform this check for you in Javascript. I prefer using the JQuery library for this, because it provides a really nice, cross-platform, tested, easy to use wrapper over Javascript which makes stuff like this easily.

Answer 3

I've implemented one such app in python and employed the following approach
1) Perform the one time authentication using by sending a ajax post request to the back end. You may use library (jquery, dojo et al) or simple javascript, I chose the latter.
2) On successful authentication use the uuid library to generate a random unique id let's call it a session id. Php has the following uniqid library which should do this for you
3) Store this session id in the cookie and/or a variable
4) Store the session id and the user id in memcache or the database to check if the session is active.

I understand php has a built-in session handling mechanism so step 2 will be altered and the heavy lifting of 3 & 4 are done for you.

Answer 4

Never minding for a moment the security flaw of storing an un-hashed password in the data store, what you're doing is perfectly possible.

Before gathering thoughts on what you wish to do, here's what you don't want to ever do. Never, ever send the password or key to the user agent in source code. Its going to get sniffed out no matter how you try to hide it.

Make the client provide the password. Send it to the server with an XmlHttpRequest - also known as AJAX. If the server likes what it received, it may send a response containing privileged information (the "secrets").

Here's a link which explains AJAX. If you have access to jQuery, you may use it to do your client-side heavy lifting.