Reputation: 3670
How bad is this? storing password in javascript
I have a web application that is designed to work on a internal network.
When the user logs in (using standard POST, asp.net, HTTPS) I need to store the user name and password and later use it in javascript on one particular page. (in order to access and ActiveX control)
The obvious problem with this is that when you go "view source" on that page you can see the username and password. I do not think there is a way to avoid this.
My question is: Once the user logs off...does IE7 or IE8 store this entire page information? If so, how would I view it? (to verify if that username and password is easily findable)
If the entire page content is not cached/stored in history....then using the username/pw in the javascript is not that big of a security breech as a user would already have to be logged in in order to obtain the data. am I right?
Thanks in advance for your thoughts/comments!
Andrew
elaboration: I have to create a ActiveX object,...then connect to it in javascript...I store the passwords in a Session...but I need to put them in javascript in order to connect to the control: i.e.
myactivexcontrol.credentials.username = "username";
myactivexcontrol.credentials.password = "password";
myactivexcontrol.connect();
the username and password coincide with the login to the web application...
Upvotes: 3
Views: 1143
Answers (4)
Reputation: 1
First, the password should be encrypted, if not, hashed and salted (possibly multiple times).
Can you not use SESSION to keep track of the user being logged in rather than storing a password? If for some reason you must store the password, do so in the SESSION or a database.
Upvotes: 0
Reputation: 5084
This is a very bad practice with only limited risk because you are using it 'internally'. However, if your internal network is on a windows domain you could use windows authentication to validate your users credentials.
Another option would be to use encrypted cookies.
Either of these options is preferable to what you are doing.
Upvotes: 1
Reputation: 13756
If I'm you I would avoid storing passwords in javascript, then you don't have Password functionality if everyone knows it.
What would I do
I would create one page which will return data I need, And I would call that page from ActiveX control. Problem solved.
Upvotes: 0
Reputation: 211610
You could aways render your pages as "uncachable" via the headers and verify that this works on your target browsers. See: Will web browsers cache content over https
You could test this by deliberately clearing out the cache, verifying that the cache directory is empty, and then running through your use case to see what traces are left behind.
Upvotes: 1
Related Questions
- Is javascripts access to a password fields value considered a security risk?
- JavaScript: Is it Safe to Predefine Password in Code
- Holding password in javascript variable - security implications?
- What are the security implications of storing passwords in Javascript variables?
- Storing user's password for web application in client-side JavaScript - is this secure?
- Is it secure to store password in C# code?
- Is javascript injection of password in form safe?
- Is my password storage technique strong enough
- Referencing input (type=password) in javascript (ASP.NET)
- How bad is it to set password text