2

From my chrome extension, I am making a request to my server with sensitive information, namely the user's email and password, in order to log them into the service. A naive way to do this would be to make a request to something like

www.myserver.com/login?email=email&pass=pass. 

That however seems terrible. What's the standard, secure way to perform this?

4

1 回答 1

3

A standard secure way is to use an encrypted channel, such as HTTPS. That way, only the connection to https://myserver.com will be seen, and the GET /login?email=email&pass=pass request will be encrypted. However, by doing the authentication solely via parameters to the GET request, you'll have to carry it around with you on every page you want to visit. Usually this is solved by the server giving you an authentication token (for instance a cookie) that grants you access for some time, when you login. This token of access is usually called a "session". How it's implemented differ greatly, but usually it comes down to giving you a sort of key in exchange for a valid login.

Other methods for obtaining a valid session include sending the username in clear, and the password as a derived key, for instance seeded and hashed.

If there's something in my answer you don't understand, please comment on it, and I'll elaborate or give more examples :)

EDIT:

On the backend, I am using a standard salt+hash from the werkzeug python library. If the JS performed the same operation and then passed along the derived password, would that be sufficient?

Yes. If you do the salt+hash scheme, you can use whatever JS library you want. I often just use the native XmlHTTPRequest to do it.

Also, your first suggestion was to use HTTPS. If I go that route and return the session key, what's to stop someone from snooping the session key?

If you're going with SSL, what's stopping someone from sniffing the session? Well the encryption hopefully :) Once the SSL connection is setup, everything going back and forth between you and the server will be encrypted, so there's nothing to snoop. Without encryption though, that becomes a big problem. Remember all the fuzz about facebook and sniffing session cookies when Firebug came out (or was it Firesheep?) ?

Of course your SSL tunnel may fall victim to man-in-the-middle, but public key infrastructure like this is the best you'll get. SSLv3 is considered safe these days.

于 2013-03-30T21:18:09.823 回答