2

I want to add integration with a third-party service to a web application (developed in HTML and Javascript) which targets Android / iOS (and later Windows Phone). Thus I have access to all "modern" features. This third-party service needs credentials and is controlled via GET-Parameters.
For example, a request url could look like "http://www.example.org/foo?username=user&password=1234".

Changing the third-party service to accept hashed passwords is no option as I have no access to it.

As the user does not want to type in his username and password every time he uses the service or starts the application, I want to save his credentials somehow.

Now I wonder, what's the best way to do so.
I know that real "security" is an illusion here but I do not want to expose the credentials to unnecessary risks by saving them the wrong way.

I already thought about several possible ways

  • Plain Cookies: The most straightforward way - is it "secure" enough in this scenario?
  • DOM-Storage: Any differences to cookies in this relationship?
  • Encrypted Cookies: The credentials would be encrypted, but you could easily find out the key when looking at the source code of the page or debugging it.

Which one should I choose? Are there any better ways?
Is bothering with encrpytion actually worth it when it can be cracked that easily?

Matthias
  • 12,053
  • 4
  • 49
  • 91

1 Answers1

2

All the ways are bad and insecure. So is sending username and password as a get param - you even run this over https?

The way to do this usually is to not store the username/password at all, but a GUID/hash that identifies the users session, and then let that session be persisted.

That way, even if somebody else gets access to the session, they won't have the username/password. As part of this, people cannot change the password unless they supply the existing.

Connect to and authenticate with the 3rd party service through a backend proxy if it absolutely needs to have username/password sent.

Martin Jespersen
  • 25,743
  • 8
  • 56
  • 68
  • Yes - the third party service uses https. However, I *can not* change it - I would really prefer storing only a session identifier. But that's not possible. – Matthias Mar 08 '11 at 12:28
  • @winSharp93: If you use a backend proxy for the authentication you don't need to expose the username/password to the client – Martin Jespersen Mar 08 '11 at 12:30
  • Not possible, either. I am only able to upload plain HTML/Javascript files to my server. – Matthias Mar 08 '11 at 13:02
  • @winSharp93: In that case it doesn't sound like something useful really. Look at it from your users perspective: why should they use something that so blatantly exposes their login credentials? Remember that the average user uses the same username/password combo across multiple sites... creating a solution that exposes usernames and passwords is a bad idea no matter how you try to justify it - you are simple doing your potential users a disservice. – Martin Jespersen Mar 08 '11 at 13:27
  • Yes, you're right - I will ask the support of the third-party service to allow authentication using session ids rather than username/password. Let's hope they will implement it. – Matthias Mar 08 '11 at 14:10