Databases
StackOverflow2013
Postsdbo
POJavascript Security: is storing sensitive data in a self invoking function more secure than cookies?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POJavascript Security: is storing sensitive data in a self invoking function more secure than cookies?
    primarykey
    data
    text
    <p>I know security is either non-existant or very difficult in client side JavaScript. I know my server-side code should ultimately decide who it gives data to or accepts data from.</p> <p>That said, is the following okay to do. By "okay" I mean if this were the method used on some new popular trendy cool web app. Could I sleep at night knowing that I won't see "Super Cool Web App Hacked, change your passwords!" all over HN and Reddit (or any other sources of info people care about) as a result of this implementation.</p> <p>If it is not secure. Why? How can that info (username and password) be obtained?</p> <p>If it is secure? How sure are you? Why is it secure? What is stopping me from getting that info outside of my obvious inability to right now.</p> <p>Partial answers are welcome. Just looking for a better understanding.</p> <hr> <p><strong>EDIT</strong></p> <p>I'm thinking about the case of some trying to steal a users credentials. My understanding is that cookies are insecure because 1.) other javascripts (via XSS or whatever) can access them and because 2.) they are passed in the clear. I figure SSL would take care of the second issue and lets just assume I'm able to prevent XSS. It would now seem that cookies are now secure, right?</p> <p>I'm aware of some supposed browser vulnerabilities that assist in making cookies insecure. That's what made me ask this question. Given all the things that make cookies insecure, is this (code below) any better?</p> <hr> <p><a href="http://jsfiddle.net/KTastrophy/vXEjm/1/" rel="noreferrer">http://jsfiddle.net/KTastrophy/vXEjm/1/</a> OR see code below (Only tested in Chrome)</p> <pre><code>&lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;/head&gt; &lt;body&gt; &lt;form id="login"&gt; &lt;div&gt; &lt;label for="username"&gt;Username&lt;/label&gt; &lt;input id="username" name="username" type="text" /&gt; &lt;/div&gt; &lt;div&gt; &lt;label for="password"&gt;Password&lt;/label&gt; &lt;input id="password" name="password" type="password" /&gt; &lt;/div&gt; &lt;div&gt; &lt;input id="submit" name="submit" type="submit" value="Login" /&gt; &lt;/div&gt; &lt;/form&gt; &lt;/body&gt; &lt;script type="text/javascript"&gt; ;(function () { "use strict"; var login, user = {}; login = document.getElementById("login"); login.onsubmit = function (event) { event.preventDefault(); user.username = document.getElementById("username").value; user.password = document.getElementById("password").value; /* use the username and password here to do an API request over SSL using HTTP Auth */ } }()); &lt;/script&gt; &lt;/html&gt; </code></pre>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USKTastrophy
    1. USKTastrophy
    plurals
    1. This table or related slice is empty.
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POJavascript Security: is storing sensitive data in a self invoking function more secure than cookies?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POJavascript Security: is storing sensitive data in a self invoking function more secure than cookies?
      1. USty.
      1. VTFavorite
    3. VO
      singulars
      1. POJavascript Security: is storing sensitive data in a self invoking function more secure than cookies?
      1. This table or related slice is empty.
      1. VTUpMod
    1. COAssuming you're only going to have the login process succeed when the server successfully checks the username and password against the database, then whether the JavaScript is hackable or not is irrelevant. Say somebody can fiddle with the username or password before submitting. So what? Either the person knows valid credentials or not.
      singulars
      1. POJavascript Security: is storing sensitive data in a self invoking function more secure than cookies?
      1. USPointy
    2. COI hear you. I've edited my question to be a bit more clear.
      singulars
      1. POJavascript Security: is storing sensitive data in a self invoking function more secure than cookies?
      1. USKTastrophy
    3. COIf you consider cookies to be insecure, you should just give up the idea of a secured web application. They're basically one of the foundational pillars of web application security, so if you think they're vulnerable there's no alternative.
      singulars
      1. POJavascript Security: is storing sensitive data in a self invoking function more secure than cookies?
      1. USPointy
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload