Can I keep passwords secure from other programmers when using (minified) javascript Ajax jQuery? More specifically, when debugging with tools like Firebug, can I keep passwords (even encrypted) from others?
Here’s a scenario:
I build an XML doc (server side) and pass it to my jQuery/Ajax controller. Who’s to say someone won’t set a breakpoint in Firebug, copy and paste the encrypted userID, encrypted password and send their own request to the original URL?
Yes, I can do all of this server side. My question is, can I do it client side?
Let’s face it peep’s, when people want “secure” data these day’s who are we defending ourselves from…other programmers.
Luv ya’ll though.
No you can’t. You can only make it difficult to crack.
This is the essential problem with DRM schemes:
They aim to control the content on the client from the client.
That said, unless you are trying to implement a DRM scheme, there is no need to compromise security. That is because authorization, authentication and validation should always happen on the server (or also on the server.)
The only credentials the client needs are its own credentials, and since the client needs them to log-in and already has them this is not a security problem.
Any credentials which would allow the client to go beyond her permission must remain in the server.
The server uses these credentials, on behalf of the client, only after proper authentication of the client and authorization of action.
Any architecture that passes credentials to the client and relies on client side obfuscation to maintain security is flawed.