3
I’m working on a project, and the back-end (java), is totally separate from the front-end, and they communicate through REST.
My question is, let’s start working on the authentication area, and I was wondering if it is possible to control the authentication through cookies or Session, using only Javascript, and if possible there is a nice reference.
4
You will not be able to do your authentication using only Javascript. Some part of the authentication process will have to be done on the server, since you cannot trust that the client will execute the code you sent to it (a malicious client can make HTTP requests directly if they want).
First of all, let’s remember what our authentication system has to do:
Associate data to the user section (login name, when the section expires, items in the shopping cart, etc)
Only the server can create a "section". Users cannot authenticate themselves.
The section data cannot be modified by the user. For example, we don’t want to let me authenticate myself as hugomg on your site but then change the cookie username field to Ericosouza and shop on your behalf.
The simplest way to keep sections is to keep all data on the server. So the requirements (1) and (3) come free. The basic idea is that when the client authenticates1, you generate a hard to guess session identifier2 send it to the customer3. The customer can store the identifier in a cookie4 or where most convenient and the server keeps the data of the section in a table indexed by these identifiers:
123434561234 -> nome:Erico sessao-expira: ...
467235895637 -> nome:hugomg sessao-expira: ...
Since it is difficult to guess the section identifier and how you show the identifier only to the correct user, your server can trust that the user is authenticated if it displays an identifier that is in the table.
1 Using user+password or cryptographic keys or whatever you want
2 Use a very long random number, generated using an cryptographically secure and unpredictable number generator. Do not use a 1,2,3 counter and do not use rand()
3 Use https, or anyone on the wifi of the client who has Firesheep installed will be able to see his identifier and steal the section.
4 A good idea is to mark the cookie as Httponly, for extra security.
If, for performance reasons, you do not want or can not store the session data on the server you will have to pass this responsibility to the client and find a way to prohibit the client from tampering with the data you pass to him. One way to do this is by using a Message Authentication Code (MAC), which is a hash of the section data that can only be computed by the server1 2.
A concrete version of this is to use a cookie with two fields: one with the JSON encoded section data and the other with the MAC computed by the server:
session={"nome":"Erico","expira":""};
MAC=1253712536127354;
The requirements (1) come for free, since the section data are resubmitted on every request. The requirement (2) is met because only the server can compute the MAC and the requirement (3) is valid because although the user can see the fields of the section, it has no way to change as this would require recomputing the MAC.
1 The MAC calculation uses a secret key that only your servers know about.
2 Just like anything else cryptographic, use some ready-made library to calgular this hash, as it’s very easy to create an insecure implementation. The most common suggestion is to use the method HMAC with the SHA-256 or SHA-1 hash function
A good reference is this question in security.stackexchange
Thanks @hugomg this already helps me a lot and clarified more than my doubts. It’s a great answer, thank you.
all right? Dude what you suggest to me in the question of "Use a very long random number, generated using an cryptographically secure and unpredictable number generator." ?
@Ericosouza: A CSPRNG is something you will want to get ready in a library or in your operating system. It depends on the language you use (if I remember correctly in Java you have a Securerandom API that you can use). The important thing is that it is impossible for a user to guess the next numbers generated using the information of the numbers they received.
Dude, thanks for the help again, I’m using java, I’m going to look for this API. Following the steps you explained to me this is one of the most important parts I still have to do. I was able to establish the communication between the server and the client, now I want to generate the key to do the management. Thank you.
Browser other questions tagged javascript ajax rest restful oauth2
You are not signed in. Login or sign up in order to post.
is using some MV framework* ?
– Caputo
@Caputo no, no framework. If it is possible to do this without using a framework it would be even better.
– Erico Souza
You can use Oauth or Token Authentication and use the HTML store to store the token in each browser
– Caputo
Thanks @Caputo, know any legal references about Oauth, or Token Authentication?
– Erico Souza
They are in English but for Oauth (http://oauth.net/code/) and Httpauthentication (http://www.peej.co.uk/articles/http-auth-with-html-forms.html)
– Caputo
Thank you @Caputo
– Erico Souza