security - Plain-text password and "remember me", node.js and js client -

-

i'm trying understand little bit more security in node.js (with passport.js) , client (pure javascript) web application. i'm new web programming.

i have implemented localstrategy , it's ok. gain access api have log in normal account, or log in admin in others.

i'm testing browser authentication (still don't have "remember me" feature each time have retype password) , i'm testing curl:

curl --cookie-jar jarfile --data "username=admin&password=pass" http://localhost:5000/login curl --cookie jarfile "http://localhost:5000/api/admin"

now, following "expect worse" paradigm, i'd protected little bit man-in-the-middle attack don't want send plain-text password: have crypt password in browser (sha256), send it, , store/compare hashed password.

  1. what don't understand salt thing. more used pattern? generate in server , send login page? how test curl? has different one? user has insert in login form?
  2. what "remember me" thing? don't understand this: have store cookie in browser username, encrypted password, , salt? why "remember me" implementations in server side? should't in client?

sorry haven't found in web explain concepts node.js , passport.js, pure javascript client , curl test (i care on testing curls).

explain concepts node.js , passport.js

those concepts not dependent on specific runtime or framework, makes sense materials on web don't refer node.js , passport.js

  1. ... salt thing

salt string makes harder crack passwords. should use different salt each user. see use of salts relevant server. client sends password in clear, , server hashes salt. won't affect testing curl. if attacker log in salted hash alone (thus not needing know original password), makes salt , hash less useful.

2. ... "remember me" thing

usually instead of transmitting credentials each request, there's single "session id" sort of token. server maintains state associate session ids user records, "remembering" user logged in. it's uncommon store password in cookie.

each time handle login have store session id , send client? , client send me?

that's how lot of sites it. guess there's room variation though.

the curl --cookie-jar jarfile --data "username=admin&password=pass" http://localhost:5000/login store username , password in cookie, isn't it?

it sends username , password server, , server can respond whatever data wants have stored in cookie. if server sends username , password cookie, yes. if sends session id instead, no.


Comments

Post a Comment

Popular posts from this blog

google api - Incomplete response from Gmail API threads.list -

-
i plot number of emails in inbox on time using gmail api , i'm seeing lot of drop-outs, whatever reason i'm getting incomplete count of messages @ single time points. my plots here: https://plot.ly/~tdsmith/2 -- "drop-outs" i'm complaining trace shoots downwards , recovers previous level @ next timepoint. the code i'm using count emails here: https://github.com/tdsmith/gmail-plotly/blob/master/gmail-plotly.py#l47-l64 what can diagnose these faults?
Read more

Installing Android SQLite Asset Helper -

-
i need use ready made database. search solution on internet did not work until decided use mentioned library found here . however, found hard use library in installation procedures shallow beginners. i appreciate step step procedure on how use android studio. in struggle tried copying sources main/libs , adding line gradle did not work. use api 19 if helps. update here build.gradle // top-level build file can add configuration options common sub-projects/modules. buildscript { repositories { mavencentral() } dependencies { classpath 'com.android.tools.build:gradle:0.11.+' compile 'com.readystatesoftware.sqliteasset:sqliteassethelper:+' // note: not place application dependencies here; belong // in individual module build.gradle files } } allprojects { repositories { mavencentral() } } trying compile project error error:(9, 0) no signature of method: org.gradle.api.internal.artifacts
Read more

Qt Creator - Searching files with Locator including folder -

-
one quick question qtcreator : know possible use locator open files using "ctrl-k" shortcut. however, possible search files including locations? for example, let's want locate file named "main.cpp" in folder named "myfolder" , have lots of other main.cpp files. what should type locator in order open ? just type myfolder/main.cpp in locator
Read more