security - Plain-text password and "remember me", node.js and js client -
i'm trying understand little bit more security in node.js (with passport.js) , client (pure javascript) web application. i'm new web programming.
i have implemented localstrategy
, it's ok. gain access api have log in normal account, or log in admin in others.
i'm testing browser authentication (still don't have "remember me" feature each time have retype password) , i'm testing curl:
curl --cookie-jar jarfile --data "username=admin&password=pass" http://localhost:5000/login curl --cookie jarfile "http://localhost:5000/api/admin"
now, following "expect worse" paradigm, i'd protected little bit man-in-the-middle attack don't want send plain-text password: have crypt password in browser (sha256), send it, , store/compare hashed password.
- what don't understand salt thing. more used pattern? generate in server , send login page? how test
curl
? has different one? user has insert in login form? - what "remember me" thing? don't understand this: have store cookie in browser username, encrypted password, , salt? why "remember me" implementations in server side? should't in client?
sorry haven't found in web explain concepts node.js , passport.js, pure javascript client , curl test (i care on testing curls).
explain concepts node.js , passport.js
those concepts not dependent on specific runtime or framework, makes sense materials on web don't refer node.js , passport.js
- ... salt thing
salt string makes harder crack passwords. should use different salt each user. see use of salts relevant server. client sends password in clear, , server hashes salt. won't affect testing curl
. if attacker log in salted hash alone (thus not needing know original password), makes salt , hash less useful.
2. ... "remember me" thing
usually instead of transmitting credentials each request, there's single "session id" sort of token. server maintains state associate session ids user records, "remembering" user logged in. it's uncommon store password in cookie.
each time handle login have store session id , send client? , client send me?
that's how lot of sites it. guess there's room variation though.
the
curl --cookie-jar jarfile --data "username=admin&password=pass" http://localhost:5000/login
store username , password in cookie, isn't it?
it sends username , password server, , server can respond whatever data wants have stored in cookie. if server sends username , password cookie, yes. if sends session id instead, no.
Comments
Post a Comment