Is there a reasonably safe way of authenticate a homepage using JavaScript?

Question

Is there any way of authenticating a homepage using JavaScript? I do know a couple of ways but they are extremly easy to "hack" because the username and passwords are stored in the script itself - as arrays.

Do you guys know any good ways of authenticating just a single subpage or two?

Answer 1

It's not possible. Any data sent to the client in an unauthorized session should be considered public. Any sensitive data (eg: passwords) sent to the client in an unauthorized session should be considered compromised. Any data received from the client should be considered untrustworthy.

You can only trust the server.

Of course, you could write your server-side code in JavaScript using nodeJS

Answer 2

No, there is absolutely no way to authenticate a user using pure JavaScript.

JavaScript is executed on the client side, and thus entirely and easily manipulable.

Authentication always needs to be done on server side. JavaScript can be used to send the credentials to the server, but never to check those credentials.

Answer 3

Ou yeah, there is a safe solution. It's called "challenge/response technique". It works like this:

• server send to client a challenge (some random string)
• client attach to received chalenge a password (from user input) and make hash of this combination
• server do the same (challenge + password from DB) and verify equality
  • if everything is OK, server logins user to site

Safety is achieved by that mean, that server send every challenge only once! If anybody capture client's response, it is not adaptable, cos server never send this challenge again.

Answer 4

It is certainly possible: you can encrypt the web page and use javascript to decrypt it. It rarely makes sense to do that, though.

Answer 5

As long as the final decision on whether or not the user gets to see some content is done on the client, it will be pretty easy to hack.

The only way that could possibly work would be if you somehow encode the content with a password, so that the desired information is simply not accessible as long as the password is not know. But even that is probably easily brute-forced and it would be quite complicated to implement.