StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POAuthentication model of a javascript app using ajax
primarykey
Id
11542910
data
AcceptedAnswerId
11590752
AnswerCount
1
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2012-07-18T13:47:35.220
FavoriteCount
2
LastActivityDate
2012-07-24T17:48:31.330
LastEditDate
2012-07-24T17:48:31.330
LastEditorUserId
935549
OwnerUserId
935549
ParentId
0
PostTypeId
1
Score
2
ViewCount
928
LastEditorDisplayName
text
Body
This is not a question specific about some javascript detail but I'm looking for validation that there are no obvious holes in the model that I've created. I decided to roll my own authentication routine (except for using a bcrypt to hash in the backend) which will work like this: <ol> <li>User (browser or phonegap created native app) signs up > Json object posted using jQuery ajax to backend that uses bcrypt to handle the password and save the password user profile data</li> <li>Backend generates, saves with client IP address a token which it returns (random hash, like /dev/urandom)</li> <li>jQuery plugin stores the token to a local cookie</li> <li>When some request is made (post, comment, whatever but not too often) it gets the token from the cookie and adds that to the json and posts it again with ajax</li> <li>Backend checks that the token exists and has not expired (valid for 7 days), checks that the ip-address is the same and if ok validates the request json data and processes the request</li> <li>When a token has expired a login screen is shown and credentials posted as ajax and a new token created as in step 2.</li> </ol> Everything goes through ssl for ajax requests and no passwords are stored anywhere. There is also a mechanism checking for brute force token spamming blocking the source ip temporarily if threshold exceeded. This is not a high security app but want to respect users data and make sure it's secure "enough". I hope the question qualifies even though it's not specific and work as a reference for someone else if it will spark some discussion. I couldn't find any best practice tutorials on this particular approach. UPDATE: The authentication mechanism updated according to the feedback received as it seems to be 'secure enough' for a non-critical web application.
Tags
<javascript><jquery><ajax><security><authentication>
Title
Authentication model of a javascript app using ajax
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USTimo Wallenius
UserOwnerUserId
1. USTimo Wallenius
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POAuthentication model of a javascript app using ajax
 UserUserId
 USKevin B
 VoteTypeVoteTypeId
 VTFavorite
2. VO
 singulars
 PostPostId
 POAuthentication model of a javascript app using ajax
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POAuthentication model of a javascript app using ajax
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COgenerate a random token, such as `/dev/urandom` don't use md5, it is broken and isn't the best tool for one time use tokens.
 singulars
 PostPostId
 POAuthentication model of a javascript app using ajax
 UserUserId
 USrook
2. COThanks for the tip, I'll look into an alternative method for generating the token. Can you tell me how is it broken for creating a random alfa-numeric string as I'm not using it for hashing passwords etc? Is the entropy worse than alternatives or something else?
 singulars
 PostPostId
 POAuthentication model of a javascript app using ajax
 UserUserId
 USTimo Wallenius

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.