I have a webpage that is only accessible over http basic auth. How can I figure out the basic auth username in javascript in that page. i.e. when someone visits it (after logging in), I want to make a popup that says "Hello, you're currently signed in as the user $USERNAME"
It's not possible purely from JavaScript. You'd have to have the server side script pick up the username from the request, and insert it in the generated page code for the script to pick up. (eg. <script type="text/javascript">var username=(insert JSON-encoded string here);</script>.
javascript:window.alert(document.location) seems to give a URL with a username (but no password). This may not be true in other browsers.
Related
I'm trying to improve my jQuery skills developing a litte website containing a login system.
I'm looking for the best practise and most secure login system.
So far
I had a login.html having a <form action="login.pl">.
On my login.pl I'm connecting to my database and if the user is valid I print a http-redirect to home.html adding my params (?param1=val1¶m2=val2).
Now I took a different way (at least for me a better looking way).
I have a login.html doing an $.ajax request before submit.
The ajax request calls my login.plwhich is returning an json-sting containing a status.
If the json-sting status is success, I return true which results submitting the form <form method="POST" action="home.html">
Now I'm having a few questions:
My form POSTs the password to my home.html.
I believe I have to replace the password value and add some kind of session value to the form to be able to check later if the user session is valid or not. Do I?
How is this done on a professional security level?
I can't access the form data in my home.html as long as I use POST. I try to avoid using GET because professional websites don't have those ugly urls.
How am I supposed to transport username + session id? Do I have to use cookies here?
I didn't really worked with cookies so far, but since user can read cookies, I still won't add any real passwords here and replace password with a session id.
For my understandings: These security requirements won't change even with https. HTTPS provides a secure connection but I still won't save or store any real passwords anywhere on the client.
I am creating a user authentication system using PHP, JQuery, and AJAX. On submit, a request will be sent to 'authenticate.php' with data: username & password using AJAX. The PHP code checks a database for the record and returns 0 on success, 1 on failure. Then if the returned value is 0, the page will be redirected to the 'user private page' using 'window.location="user.php"'.
Now, the question is, is it safe and proper way to authenticate like this? Are there any security problems to use jQuery/JavaScript to redirect page?
Now, the question is, is it safe and proper way to authenticate like this?
Only if inside your user.php you check again if the user has successfully authenticated already. (This is usually where sessions come into play.)
Otherwise, of course everyone who knows the URL of user.php can access it directly.
Are there any security problems to use jquery/js to redirect page?
The only difference between window.location="user.php" (which is wrong, btw. – correct would be window.location.href="user.php") and, say, a normal link to that page, foo, is that the first one happens automatically, and the second one would require the user to click the link first.
So, it is as “secure” as if you had used a simple link. What that actually means here in this case, depends what I said above.
Depends on how secure and compliant you want you application to be. According to RFCs its not recommended to login like that, but keep the form on server side and integrate the login form on frontend (via iframe), then just redirect with redirect url and token, scopes etc to a local html which then eg. sends a window postmessage to your frontend application.
https://www.rfc-editor.org/rfc/rfc6749#page-19
If you just want to be quick and dirty you can go for window.location.href or document.location.href.
Or a bit more secure, send the user to the server and let this be redirected back, but can end up in redirection hell, as its not easy to get back to the state where the user was (including settings and stuff).
Anyways, you will always have to check for the current users's session state whatever you do afterwards with serverside (Sessions).
Since you are working with PHP already i don't recommend using JS to redirect the user. You can use PHP for that:
if($user == $db['user'] && $password == $db['password']){
$_SESSION['logged_in'] = true;
header('location:user.php');
}else{
echo 'username of password is wrong';
}
Then on your user.php file:
if(isset($_SESSION['logged_in'] && $_SESSION['logged_in'] == true){
echo 'welcome to the user page';
}else{
header('location:index.php');//Go back to login page
}
If people go directly to the user.php page, they will be redirected to the index.php page.
I have my website which has this issue. It could be hacked easily through javascript.If the hacker types this in his console he can easily add a user in my database and can signup without going through the stuff like checking password length , checking username length and so on ...
$.post("extra/includes/signup/register.inc2.php",{username:"user1234",email:"email#live.com",p:"here goes password"})
I want a code that could stop him from using console in my website. And if there is no way to do that then how to fix it by some other means ?
Disabling the console won't do. A hacker can always do the same request to your server as you do.
If it is something that isn't public you can protect it using a username and password, looking at the url it is a public script.
If you require a public register script the best way to protect against this kind of thing is to us a captcha (for example recaptcha. It makes it a lot harder to do a scripted attack on your register script.
Always validate the data server side, you can not trust the data you receive from your request because it can be easely manipulated.
You should not rely on client side form validations and it is total bad practice.Try to adapt framework like CI or Laravel . They have particular set of easy ways to validate the form inputs .
Upon completion of an ajax call I would like to direct the user to an html page, but at the same time passing a hidden variable (this variable contains sensitive information and should not show up in the URL).
How can I accomplish this?
window.location.href = 'userpage.html?id=14253';
But with the id remaining invisible? Can I POST the id somehow while sending the user to userpage.html?
You should not be checking user credentials on the client side of your website. Regardless of how the ID is being passed to your script, it can be replicated without you being able to check if the request is valid.
To start being even remotely secure with what information is granted to a user, you need to be checking it via the server side. With every request, ensure the user is authenticated to view such data.
If I were you, I would look into using PHP sessions as the first line of defense for checking if a user is authenticated. Doing so will at least keep the information about a user out of a replicable space that can be viewed by the user.
Look up 'php session login tutorial' on Google and you will find plenty of simple tutorials which should get you on the right track.
Example Tutorial
No matter what, the information you pass along is insecure. You can submit a post request using XMLHttpRequest objects if you'd like (or use a framework/library to make AJAX calls) -- but the user could still spoof the data and get different results.
ID enforcement should be done in the backend. Does the requested ID match the ID of the user signed in? No? Don't show it. etc etc.
I'm trying to hide access to a certain page on a rails app without using something like devise or sorcery. I want to create a password inside the actual app code, so when you access the page it just shows an input, and if the password is entered is correct, it will show the page. Could I get this done with Javascript?
Just to be clear, I'm not in favor of doing authentication on the front-end since it is very very insecure. But if you don't need that level of security you can use this tool:
http://www.javascriptkit.com/epassword/index.htm
That would generate an encrypted password checker which would work to protect your page.
You could do an AJAX request to check if the password is right, then when the AJAX response finishes, call a callback that shows the div where the page is.