javascript - Submitting passwords via ajax -

-

given following scenario: have html form changing account's password. looks this:

currentpassword:   __________________ newpassword:       __________________ newpasswordagain:  __________________

we want send request via ajax call. if send , leave our computer (without logging out , staying on exact same page) open webkit inspector (or firebug) , see this:

http://cl.ly/3y213w1q0u2y2e251k0o

what solution making more secure? possible using ajax call here or better use "normal" html form reloads whole page after sending?

the author not interested in encrypted connections here. may doing already. wants able hide password (and username) 1 has access computer, , can open inspector tools view networking occurred on page.

one of simplest things refresh page in case authentication succeeded.

something should refresh page whenever user pressed "log out". should clear previous network data.

the less options encrypting, obfuscating , hashing password prior sending it.

hashing password on client-side not ideal because prevents use of hashed passwords keys on server-side (think hmac). hmac'd passwords best, because key kept on filesystem whereas salt kept on database. cracking password hash requires rather solid access system.

obfuscating , encrypting password can reversed. if sees login request on webkit inspector, might interested in spending time undress defenses.

i highly recommend refreshing page @ point avoid problem entirely. other options not seem good.


Comments

Post a Comment

Popular posts from this blog

objective c - Change font of selected text in UITextView -

-
can suggest me how change font of selected text in uitextview.i cannot use uiwebview since have edit text. have seen pages app.how possible in app. see formatting text within uilabel differently . since need editing, should @ javascript-based editors such ckeditor or tinymce . highly recommend wwdc 2011 video session 511: "rich text editing in safari on ios."
Read more

php - Accessing POST data in Facebook cavas app -

-
so i've got simple form in canvas / iframe facebook app, , i'm trying pass along values post. reading on s.o. , fb's latest docs, understand it, data send via post form can accessed on receiving end $_request object. i read on thread on s.o. in order post forms work need pass along input named "signed_request" value current signed_request (i have signed request working ok otherwise...all login , authentication stuff working fine). isnt mentioned anywhere in official fb docs. so problem comes in $_request object signed request, , bunch of other session stuff. form inputs found. the way can read them set method of form "request" isn't real form method. takes of inputs , sends them args in url. horrible. here's sample page canvas app form i'm using try debug (leaving out authentication stuff): <form enctype="application/x-www-form-urlencoded" method="post" target="_top" id="my_form" action=...
Read more

c# - Getting control value when switching a view as part of a multiview -

-
i have following code in aspx page: <asp:button id="display_button" runat="server" text="display" onclick="button1_click" /> &nbsp; <asp:button id="edit_button" runat="server" text="edit" onclick="button2_click" /> &nbsp; <asp:button id="save_button" runat="server" text="save" onclick="button3_click" visible="false" /> &nbsp; <asp:multiview id="multiview1" runat="server" activeviewindex="0"> <asp:view id="view1" runat="server"> <asp:formview id="view_program" runat="server"> <itemtemplate> <%# eval("status").tostring().trim() %> </itemtemplate> </asp:formview> </asp:view> <asp:view id="view2" runat="server"> ...
Read more