0

I'm trying to develop a website using MVC. I've got my HTML form (view), a js controller which is called when pressing "submit" and then I need to pass the data (including the password) to a php file (model) where the password will be hashed, salted and saved in the database.

I'm not sure I'm doing this the right way. Is it possible to pass values from my js file to the php file in a secured way?

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
Jacob.B
  • 771
  • 1
  • 9
  • 19
  • Use a md5 function, to encrypt the password before send it to the server. Also use ssl (https) protocol. You don't need that password in text plain. – Yasel Aug 12 '15 at 16:16
  • 3
    @Yasel You haven't thought this through. Hashing a password on the client would change the password to that hash. If someone got their hand on the hash they would have the password! Also, this would just be obfuscation, at best. Real security does not rely on obfuscation. – Sverri M. Olsen Aug 12 '15 at 16:21
  • @Yasel Sending a hashed password is really terrible advice. – Tim Seguine Aug 12 '15 at 16:46
  • It doesn't matter if someone on the client can see or not the encryption algorithm, the really important part is that no one can sniff that password from the network. Using the ssl protocol is the real deal, using md5 before sending the password is a plus and won't hurt anybody. If some can break the client, there is nothing that would save you from that, encrypted or not. – Yasel Aug 12 '15 at 19:20
  • 1
    @Yasel md5 hashing a password before sending it over the network wins you absolutely nothing. You are just as vulnerable to replay attacks with or without it. As far as "it won't hurt anybody" md5 shouldn't be part of anyone's security arsenal. It has limited value as a message digest compared to other options and there are pretty extensive easily obtainable rainbow tables for it. – Tim Seguine Aug 15 '15 at 19:11

3 Answers3

7

The only secure way to pass it is to be on a secure line. That means the page that hosts the form must be served on HTTPS. The page you're submitting to should also be in HTTPS.

Hashing the password from the client-side makes no sense.

           (1) Browser | (2) Network  | (3) Server
                       |              |
password -(md5)-> hash | -(network)-> | server

The attacker won't know the raw password, but that doesn't matter. All the server wants is the hash. The hash essentially has become the password. Without SSL, an attacker could simply sniff your hash in (2), and replay your request from (2) directly to the server. The server won't even know it was forged.

Joseph
  • 117,725
  • 30
  • 181
  • 234
  • The thing is, I'm a cs student and I'm broke.. so I can't really pay for https services.. It's a part of an assignment I've been given. So maybe I should go about it differently? use php directly without js between? – Jacob.B Aug 12 '15 at 16:10
  • @Mapisto There are a few vendors online that offer free SSL Certs. You can try them out. You can also self-sign as the other answers suggest. Not sure if browsers will accept them as "secure" but should work for your assignment. – Joseph Aug 12 '15 at 16:37
  • Thanks for the help. What I eventually did: From js to php I've hashed the password. Then from php to the database I've used salted hash before saving the password. I guess it's safe enough for my little project :) At least for now. – Jacob.B Aug 15 '15 at 02:28
  • @JosephtheDreamer it will work. Self signed certificates issue a really scary looking warning in most browsers insisting that what you are doing is not safe, but if you tell it to use it anyway, it will work just fine. For real publishing pretty useless, but for testing and personal use maybe acceptable. – Tim Seguine Aug 15 '15 at 19:15
  • @TimSeguine I never said they won't work. I just said they might not be considered secure. I remember the free Comodo certs aren't considered secure by Chrome. – Joseph Aug 15 '15 at 20:49
  • 1
    @JosephtheDreamer I was more or less verifying what you were saying. – Tim Seguine Aug 16 '15 at 11:44
2

Since ajax post request technically is the same as post form submitting, they are on the same logical level. Nothing can protect you from breaking you encryption in browser so, basically, there is no sense to do that (you don't encrypt your plain forms data, do you?).

First, you need to understand what danger you're trying to avoid. It's most likely a network traffic interception. You're still using HTTP so all methods are the same. You need to use traffic encryption via SSL.

NOTE: HTTPS can't protect you from stealing data directly from user PC (e.g. spyware).

Please, read more about HTTP vulnerabilities to get more clue. It seems you're missing some theoretical basic knowledge about how this whole thing works.

Kirill Rogovoy
  • 583
  • 3
  • 11
1

You can enable HTTPS by creating and self-signing your own SSL certificate (ie, you don't have to pay a Certifying Authority for a cert, totally free option). Your browser will warn you that the site isn't safe when you access it, since the certificate won't be signed by a trusted authority, but the connection will still be encrypted.

Here's a related question/answer about generating/self signing your own SSL certificate: How to create a self-signed certificate with openssl?

Community
  • 1
  • 1
laserslasers
  • 91
  • 1
  • 1
  • 5