May 10, 2012

PHP Session Variable In JavaScript

Question by user1345650

How could I input php in this so when it has a correct password it stores the information as a cookie and then allow the deletion to it too.

  <SCRIPT language="JavaScript">
    <!--hide

    var password;

    var pass1="password";

    password=prompt('Please enter your password to view this page!',' ');

    if (password==pass1){
      alert('Password Correct! Click OK to enter!');}
    else
       {
        window.location="//Some Location//";
        }

    //-->
    </SCRIPT>

Answer by Starx

If its simple enough (As per the title)

var varname = '<?php echo $_SESSION["variable_name"]; ?>';

But you have to seriously consider your logic. You are checking for authentication on javascript, which is going to be dumbest move in a web application.

The password is totally exposed, and any one can view them or turn off the javascript as a whole, then your whole site becomes vulnerable.


My suggestion is an AJAX request to a PHP page which separately checks and verifies the password and then returns message to the Javascript.

April 17, 2012

Best practice for storing database password

Question by beshiros

I am developing a custom server application that will access a database. I need to decide where I will store the credentials (and to address) to that server.

A common solution is to put the credential in a config file. However, I do not want a compromised server to mean that the hacker has access to the DB (which is hosted on a separate server).

I could store the credentials in the environment, but that is just security through obscurity. Mr. Evil can just look in the environment to find it.

Someone suggested encryption. However, if I store the key in the executable, a quick de-compile (we are using Java) and I am still doomed.

I also want to avoid having to enter a paraphrase every time I start the server.

Any suggestions? I feel like I’m missing something simple.

Thanks

Answer by T.J. Crowder

I don’t think you’re missing something simple. Either the server in question can connect to the database without your help, in which case it has to have the credentials; or it cannot connect without your supplying them. You can take various steps like the ones you’ve listed to make it harder for a compromised server to reveal the credentials to the database, but at the end of the day, if it has to have those credentials and supply them to the DB server to connect, they’ll have to be stored on it somewhere — or at least, it will have to have some means of getting them, and so will be hackable in that sense.

Your best bet is to focus on finding out about intrusions (compromised servers) as quickly as possible, keeping good off-site, off-line backups for the worst case, putting up lots of barriers to intrusion in the first place, etc.

Answer by Starx

I am sharing, the way I had solved this.

  • Build API, to query the authentication details from a foreign domain.
  • Use public key, and private key to read through the details.

But, honestly the only thing this did was over complicate simple things. After that, I created several users to the database, with different privileges.

Like

  • guest can only to SELECT
  • mod can only CREATE, INSERT, UPDATE, DELETE

etc and switched the user, whenever authenticated users appeared.

With the combination of users and session, I have been able to escape the threats so far. But ofcourse the code vulnerability have to be tested thoroughly.

April 9, 2012

Best password reset behavior for missing account

Question by smparkes

I’m wondering what the best behavior is when a user requests a password reset for an email that doesn’t exist.

Context: user is not logged in. They just enter an email and hit a reset button.

  1. If I tell the user requesting the reset immediately that the account doesn’t exist, that’s both a bit of security hole and a privacy issue.
  2. If I do nothing and it’s an innocent mistake (they thought they had an account), they’ll be wondering what the heck happened. Most mysterious option, least subject to abuse.
  3. I can send an email that says a password reset has been requested but there’s no account (and should be ignored blah blah blah). This seems the least noxious but it is a little subject to abuse.

Update: On further consideration, I don’t really so how 1 is a big deal since they can get the same information by simply trying to sign up/use the same email … unless I’m missing something …

Answer by Starx

I would do something like this

  • Ask for the username or email
  • If that email or username is present, send all the email to the person, with the reset password.

Finished 🙂

March 20, 2012

Checking password match returns "Passwords match" when both fields are empty

Question by Igal

I’m making a registration form and I want to check if the user has matching passwords while he’s typing and give him the appropriate message. So far everything works, except for these things:

  • When the user deletes everything from Confirm Password field it still
    gives him a message “Passwords do not match” while I want to give him
    no message or a message saying “Please confirm password”.
  • When the
    user deletes everything from both fields, it gives him a message
    “Passwords match”, while it should give him no message at all.

Here’s my code:

$(function () {
   $("#txtNewPassword").keyup(checkPasswordMatch);
   $("#txtConfirmPassword").keyup(checkPasswordMatch);
});


function checkPasswordMatch() {
    $("#divCheckPasswordMatch").html("");
    var password = $("#txtNewPassword").val();
    var confirmPassword = $("#txtConfirmPassword").val();

    if (password == "" && confirmPassword == ""){
        $("#divCheckPasswordMatch").html("");
        $("#divIsPasswordExist").html("");
    }
    else if (password != "" && confirmPassword == "") {
        $("#divCheckPasswordMatch").html("");
    }

    else if (password == "" && confirmPassword != "")
        $("#divIsPasswordExist").html("Password cannot be empty!");
    else
        $("#divIsPasswordExist").html("");


    if (password != confirmPassword)
    {
        $("#divCheckPasswordMatch").removeClass("registrationFormConfirm");
        $("#divCheckPasswordMatch").addClass("registrationFormAlert");
        $("#divCheckPasswordMatch").html("Passwords do not match!");
    }
    else
    {
        $("#divCheckPasswordMatch").removeClass("registrationFormAlert");
        $("#divCheckPasswordMatch").addClass("registrationFormConfirm");
        $("#divCheckPasswordMatch").html("Passwords match.");
    }
}

Any ideas, please?
Thank you!

Answer by Hardik Patel

......
        if (password == "" && confirmPassword == ""){
            $("#divCheckPasswordMatch").html("");
            $("#divIsPasswordExist").html("Password and Confirm Password dosen't exists");
            return;
        }
        else if (password != "" && confirmPassword == "") {
            $("#divCheckPasswordMatch").html("Confirm Password dosent't exists");
            return;
        }
        else if (password == "" && confirmPassword != ""){
            $("#divIsPasswordExist").html("Password cannot be empty!");
            return;
        }
        else{
            $("#divIsPasswordExist").html("");
        }
        if (password != confirmPassword)
        {
            $("#divCheckPasswordMatch").removeClass("registrationFormConfirm");
            $("#divCheckPasswordMatch").addClass("registrationFormAlert");
            $("#divCheckPasswordMatch").html("Passwords do not match!");
        }
        else
        {
            $("#divCheckPasswordMatch").removeClass("registrationFormAlert");
            $("#divCheckPasswordMatch").addClass("registrationFormConfirm");
            $("#divCheckPasswordMatch").html("Passwords match.");
        }
.........

Answer by Starx

There is a more elegant way to do this. Change your conditions to this

if(password.length > 0 && confirmPassword.length >0) {
    if(password == confirmPassword) {
        //confirmed
    } else {
       // not confirm
    }

} else {
   //not entered
}
...

Please fill the form - I will response as fast as I can!