Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Justin Sorensen
14,734 PointsWhat if we use AJAX to handle the doRegister.php functions. Is it secure to pass the password by ajax to the backend?
I have a module pattern javascript function that I am calling on submit of the form- grabbing the password, confirmation password, and email and passing that to the backend with doRegister taking it from there. I'm a newb to authentication. Is it considered secure to pass along a password to the backend- do I need to hash it if possible, or is it considered most secure to handle this all server side exclusively?
Maybe I do something like this I found on Stackoverflow:
$.ajax ({ type: "GET", url: "doRegister.php", dataType: 'json', async: false, headers: { "Authorization": "Basic " + btoa(USERNAME + ":" + PASSWORD) }, data: '{ "comment" }', success: function (){ alert('Thanks for your comment!'); } });
Thank you, Justin
1 Answer
Josh Torres
8,945 PointsHello Justin,
There is A LOT to discuss when it comes to security, so I will try to cover the most important areas... To start off, a good rule of thumb is to never... like ever, ever, ever, use the plaint text version of a password. ALWAYS hash and send over HTTPS. When it comes to hashing though, the most secure way that we have for public facing servers nowadays is "hashing" + "salt", as they refer to it. It will look something like this: hash("hello" + "QxLUF1bgIAdeQX") = 9e209040c863f84a31e719795b2577523954739fe5ed3b58a75cff2127075ed1
Note: this means that you will never actually know what the person's password is on the backend at all. The moment they submit the form the password should already have a hash + salt token that is passed to the backend and that is what you will store and verify against.
There are a lot of great articles on what that means and how to implement it, but here is a great one I use that also shows common security breaches and how they can easily exploit systems when passwords are simply "hashed". https://crackstation.net/hashing-security.htm
Justin Sorensen
14,734 PointsI appreciate the response Josh and I'm heading in the right direction now. If I can be a bit more specific I would like to know if it's risky to use AJAX to transfer passwords. Retrieving the password in it's raw format. Then transferring it to the server, should that always be done with the btoa method or not necessary if using the PHP password_hash method? Do I need to do that action in a closure module so it's not in the global scope? Otherwise my original plan was to retrieve the values, send them to the server in a variable like normal, and then hash it in PHP. I'm just curious if AJAXing passwords can be breached.
Thanks, Justin
Simon Coates
28,694 PointsSimon Coates
28,694 PointsI'm no expert (I can't emphasize this enough) but i'd assume ajax is just HTTP or HTTPS (which you should probably use for anything important that involves a password). So I'm not sure AJAX is a distinct case to normal form submission (?), which seems to be an assumption of your question.
(On a different note, I just registered for an gmail account and used developer tools to see what it was doing. It seemed to used plain text password over HTTPS. I didn't check the method, but i'd assume post. So you might take a look to see the form structure/network traffic of registering for a reputable service as an insight into security. This isn't a substitute for reading up on the topic, i'd guess.).
As discussed. NOT AN EXPERT!