.net - Calling a secured WebService from jQuery safely -


i have webservice has several calls available members of site. want build pure html/jquery mobile app can call service make requests , download information.

my initial plan put users' username , password in auth header i'm worried exposing them traffic sniffers. can create session key after initial authentication call in token may vulnerable session stealing.

my current plan is:

  • implement login call, return token expire after designated time
  • the js calls in token (thereby reducing number of times password sent).
  • the user makes calls
  • the token compared against user's ip address.
  • the user logs out, ends session , removes key reduce risk

another thought encrypt password send it. possible/sensible public/private key encryption in js based on .net rsacryptoserviceprovider implementation?

what best approach handle authentication, ideally without purchasing ssl certificate (the data not particularly sensitive). ?

apart obvious reasons why ssl highly recommended, , should use if it's possible, can consider rising security hashing login , password.

hashes work in way difficult break - hashes of similar strings different, if change 1 char. see that:

login: "jacek", sha1: "9749d1492af3d43f9c09e04c5c43f27bb909af51" login: "jacek", sha1: "46c676716f0e9aa86545c034d0e22a114d7cd488"

this shows need exact password (or it's hash collisions, difficult compute) 'break' hash, , 'simmilar' 1 useless.

your implementation may go that: when create user (f.e. registration moment), compute hash of login , password. after that, in db have:

login  | hashedlogin                              | hashedpassword  --------------------------------------------------------------------------------------------- jacek  | 9749d1492af3d43f9c09e04c5c43f27bb909af51 | e4e088f4eaa96db85e11ba491a189f96f2e11793

(you may keep unhashed login debugging / maintanence purposes only.)

after that, before conect web service in app, same, in jquery:

var _hashedlogin = sha1_hash($("#login").text()); var _hashedpassword = sha1_hash($("#password").text());

there lots of third-party sha1 libs, use of them ;)

then, when send info webservice, send hashed values only. if sniffs ajax call, like:

"userinfo": {     "login" : "9749d1492af3d43f9c09e04c5c43f27bb909af51",     "pass" : "e4e088f4eaa96db85e11ba491a189f96f2e11793" }

this useless thief, can compare values precomputed hash in database. can run

select id users hashedlogin = 'login_from_your_ajax_call' , hashedpassword = 'pass_from_your_ajax_call';

if result of query, secured verification completed , have id of user. if there no results, login or password invalid.

sha1 quite secure home , semi-pro reasons, compute hash collide password, may need 2^61 comparisons. take literally years home computer break that. solution still vulnerable man-in-the-middle attacks, leap of security sending plaintext authentication data.

also, remember once user authenticated, unless use ssl, all other (client <-> web service) connection still insecure , easy sniff.


Comments

Post a Comment

Popular posts from this blog

commonjs - How to write a typescript definition file for a node module that exports a function? -

consider, toml node module can use: // toml.d.ts declare module toml { export function parse(value:string):any; } declare module "toml" { export = toml; } then: /// <reference path="../../../../../defs/toml/toml.d.ts"/> import toml = require('toml'); toml.parse(...); however, node module export single function, such 'glob' ( https://github.com/isaacs/node-glob ). the node usage of module be: var glob = require("glob") glob("*.js", {}, callback(err, files) { ... }); you'd naively expect this: // glob.d.ts declare function globs(paths:string, options:any, callback:{(err:any, files:string[]):void; ...but because typescripts 'import' semantics bit strange, seems can use 'import .. = require()' statement alias modules . trying call: /// <reference path="../../../../../defs/glob/glob.d.ts"/> import blog = require('glob'); results in: error ts2072: mod
Read more

openid - Okta: Failed to get authorization code through API call -

i'm integrating okta own idp server using okta's api. i'm implementing authorization code flow following steps below: in own server, use /api/v1/authn endpoint sessiontoken. use sessiontoken obtain authorization calling endpoint: /oauth2/v1/authorize?client_id=" + clientid + "&sessiontoken=" + sessiontoken + "&response_type=code&response_mode=query&scope=openid&redirect_uri=" + redirecturl + "&state=evanyang&nonce=" it's supposed return response status code 302 , location header containing redirect url code value. however, keep getting response status code 200 , without location header, html body saying "you using unsupported browser." , "javascript disabled on browser." according api documentation: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request , sessiontoken parameter sufficient this: an okta one-time sessiontoken. allows api-based
Read more

thorough guide for profiling racket code -

did googling ("racket profiling", "racket measure performance"), didn't find , there no examples in docs. did google "profile" search on htdp - no luck. (profile (f ...)) output isn't obvious other small snippets. ideally want python's python -m cprofile usage examples. when search "python profiling", both duckduckgo , google give top result: 26.4. python profilers . (although scanned quickly, seems more of reference "thorough usage guide" examples. if had else in mind, perhaps please link that?) the equivalent racket documentation be: profile: statistical profiler . a usage example: #lang racket (require profile) (profile-thunk (thunk (function-to-profile arg0 arg1) )) here (thunk e) convenience (lambda () e) . bigger example: #lang racket (module mod racket (provide f) (define (f) (for/list ([i 10000]) i))) (require (prefix-in mod: 'mod)) (define (f) (for ([i 10000
Read more