I have a RE-back-end in this application that is used to request HTML 5 / Javascript client I am planning to implement an authentication system which uses basic authentication where the Javascript client base will store the 64-encoded user's credentials for the duration of a session. In Cade Seals will be sent with each request in the "Authorization: Basic" header.
All conversations between the Javascript client and the rest of the band will be higher than HTTPS. I know that this is a performance flaw in itself because It adds an overhead of encrypting / decrypting every single request / response, and it's just okay.
At this point I'm really interested in what I'm interested in. I know that the schema that I have described is nothing and many people have used it in its implementation (at least I understand it). However, I am interested in knowing that someone has security There are violations or drawbacks.
The only thing I can think of if the malicious code on the client side is stored in any way by the credentials ... I think this is not very likely (but hackers are a creative bunch and some S engines are buggy, so you never know :-)) "
" hard "credentials Should never be stored in any area that is javascript You can reach RAW, otherwise you can expand yourself for XSS attacks.
I recommend using access tokens to them and keeping them in HTTPS-only cookies. For the token you make the initial exchange of hard credentials, then use the token (the time is limited) for subsequent requests.
I have written a long article on this subject and this is my To the answer Tells Istar:
Hope this helps!
No comments:
Post a Comment