• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How secure is http post request for sending user authentication data.

 
Ranch Hand
Posts: 763
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have implementated User Authentication Using Simple HTTP Post request,

And i would like to know how secure is that ?

 
Ranch Hand
Posts: 959
Eclipse IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's not secure unless you encrypt the information that you're going to send and send it over HTTPS rather than HTTP. But this still doesn't prevent some smart jack-ass to hijack the info, but at least it's still more secure than using simple HTTP request
 
Jigar Naik
Ranch Hand
Posts: 763
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
true but data encryption i am doing at server side only. before inserting the data in the database.

From client to server there is no encryption. Just an Http Post Request.

 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It depends on what you consider to be "secure" - which kinds of risks are you trying to defend against?
 
Jigar Naik
Ranch Hand
Posts: 763
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In my case the hijacker should not be able to hack the authentication information (password).
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes, but what kind of attacker - where does he sit, what kinds of control are you assuming he may have over which machines, does the connection go over an intranet or the internet, etc. ? Some of these SSL can guard against; for some of these it can't.
 
Jigar Naik
Ranch Hand
Posts: 763
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
ya the connection go over the intranet only. and assuming the attacker is inside the network.

i have the threat of some client side scripting which can fetch the sensitive data while client to sever transport.
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
By "client side", do you mean on the machine where the browser runs? Information is not yet encrypted when the user enters it into the browser, so if you try to guard against a process listening on the client then that's not something the web app itself can do anything about. But I don't fully understand the connection between "client side scripting" and "while client to sever transport", so maybe you meant something else.

If you assume that attackers can be inside of the network -in other words, part of the company- I think it's likely they can access (or try to access) to the data in other ways as well. Maybe by going directly against the database, or they may be system administrators that have access to the servers to begin with.
 
Jigar Naik
Ranch Hand
Posts: 763
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi Ulf Dittmer,

Thanks for information and your time...

By client side i meant the instance when the client submits the form i.e clicks on the login button till the time the request reaches the server.

As long as i know in post request the data are kept in the header.. are the data encrypted in header ?

What is the need for SSL ? When should we use SSL and when we should not use SSL ?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should use SSL if you want the data to be encrypted in transit. If you use it, most headers are encrypted as well as the body - which is where POST requests keeps their data (not in the header).
 
Greenhorn
Posts: 25
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Check out Wikipedia - TSL (SSL) - and check out Search First
 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Use TLS/SSL.
Its easy.

Or at least a lot easier than doing your own to make it as secure.
 
reply
    Bookmark Topic Watch Topic
  • New Topic