0

I'm currently working on a website where I'm having to validate users by their username/password using ajax to send the values to my controller.

At the moment I have an input for username and an input of type 'password' for the password. Obviously this means the password is hidden on the front-end, but when I'm posting my values to the controller, I've checked the request and noticed that the password is sent in clear text. Am I doing something wrong?

I would have thought that really you should hash the password using javascript, then send that value and validate the unhashed value on the back-end. I suppose another alternative would be to use https? Is that the preferred method?

I'm not sure if I've handled this whole process correctly. Basically I'm trying to log in a member by validating their username/password that are sent via ajax yet I'm concerned that the password is being sent over in clear text. What's the correct approach to be taking?

Thanks

Improve this question

1 Answer 1

Reset to default
1

Like you say, you need to use SSL (HTTPS) to ensure the password is encrypted.

The problem with using a client side hash that is then sent in clear text is that the hash can be intercepted and replayed by an attacker.

SSL includes mechanisms to prevent replays.

If you don't want to pay for an SSL certificate and you are not too concerned about the domain name, then Azure Web Sites could be an option. You can get free hosting if you don't mind sharing infrastructure, and, more important for your purposes, you can then use a built-in, default SSL certificate for *.azurewebsites.net domains.

This would get you free hosting and SSL for your site, with the restrictions that

  • You would be lmited to *.azurewebsites.net domain names
  • You would be on shared infrastructure
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

But what if you're only working on a small site where you don't want to spend money on a verisign certificate or similar? Do you just have to put up with the crappy untrusted certificate error?
Unfortunately, I think you do, yes :o(

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.