8 Replies Latest reply on Jul 17, 2008 9:57 PM by luxspes

    Send password hashed

    frankyb
      Hi,

      how can I achieve that the password used in a login form with #{identity.password} is not transmitted with the POST or XMLHTTPRequest in plain text, but as a hash value?
      Or does Seam do this automatically?

      Thanks for any response,
      Frank
        • 1. Re: Send password hashed
          frankyb

          Well, having done some tests, I can answer one part: the password is sent in plain text within the POST message.


          So it seems I have to do some JavaScript to encrypt it before it is sent...?! Or are there any common procedures? I guess I'm not the first one to do this...

          • 2. Re: Send password hashed

            Hi!


            What would be the point of hashing it with javascript? That would not help to secure you application even a little bit. (The hash is still transmitted in plain view, anyone can see it, resend it, and get into your application)


            Regards,

            • 3. Re: Send password hashed
              gjeudy

              What type of form authentication have you now? BASIC, DIGEST or something else ?


              You may want to look at securing your login form with SSL.

              • 4. Re: Send password hashed
                frankyb

                Well, he could get into my application (if I would not secure the hash with an additional timestamp), but he could not retrieve the password and use it for other purposes.
                It's a fact that many users use the same password for many different accounts on the internet. So the password that was detected by exploing my app could be used to gain access to the user's email adress, or even worse, to his online banking...And who is guilty, then?
                OK, maybe this is some kind of paranoid, but that's why I asked this question ;-)


                However, for now I deferred this desicion, because I have a lot of other issues that should be cleared first.

                • 5. Re: Send password hashed

                  And, why not just use HTTP?

                  • 6. Re: Send password hashed

                    Francisco Peredo wrote on Jul 17, 2008 21:31:


                    And, why not just use HTTP?


                    Sorry, I meant to say: And, why not just use httpS?

                    • 7. Re: Send password hashed
                      frankyb

                      Yes, I think that would do the trick. But I would need a certificate, and I assume this is not free (for commercial use). Or am I wrong?

                      • 8. Re: Send password hashed

                        Well you can create your own self signed certificate, you could ask CAcert for a free one... but, if you are going to use this for commercial use, I really recommend to go and buy one.