PDA

View Full Version : Authentication with sencha extjs



Alex2013
13 Feb 2013, 6:29 AM
I want to have a secure authentication mechanism in my sencha extjs app. I have a form with a username and password. I need to have some way of authenticating the user (without sending the password over the internet). What would be a good authentication mechanism to go for in sencha?

scottmartin
13 Feb 2013, 3:25 PM
Can you be more specific? do you want something like this?
http://www.wikidsystems.com/

This all depends on your requirements. This should be done at the server level anyway.

Scott.

mice-pace
13 Feb 2013, 5:21 PM
You don't neccesarily need to be worried about sending the password over the internet if you do it right...I'm no expert, but I studied cryptography briefly at University

Just as a rough example (not sure how secure this is now) an old system i was working on had the passwords on the database transformed by MD5 (a one way transform), then when you submitted your password it was transformed the same way before being sent... this means that even if you intercept the message you don't know the original. This technique is still possibly vulnerable to replay (With packet sniffers intercept a valid login, collect the details then send it on, next time you try to login intercept that request and replace it with a valid login attempt) and MD5 is no longer considered secure, but you have options, for instance...

If you make the server you run your Sencha app on use SSL (Secure Socket Layer... Any page you've visited starting with https:// instead of http:// undoubtably uses this), then before you finish loading the page your computer and the server have shaken hands and agreed on a virtually unique way of encoding messages to one another so that encrypting the data sent and received is already taken care of for you. Unless I'm mistaken google starts your login request in a similar such secure environment, before then releasing you into regular style connections once it is no longer dealing with your password.

Alex2013
13 Feb 2013, 11:01 PM
If you encrypt the password with md5 in sencha (javascript), can't everyone see how the password is encrypted (just by looking at the source code)? I want to have a secure way of authenticating the user. When the user is authenticated, let them get into the system. I just want to hear if there is a way of securly authenticating the user in sencha. If it is not possible, it is a show stopper for the project..

mice-pace
19 Feb 2013, 4:47 PM
Security through obscurity (http://en.wikipedia.org/wiki/Security_through_obscurity) [...] attempts to use secrecy of design or implementation to provide security. Security through obscurity has never achieved engineering acceptance [...] The United States National Institute of Standards and Technology (NIST) specifically recommends against security through obscurity in more than one document. Quoting from one, "System security should not depend on the secrecy of the implementation or its components."

Kerckhoffs's principle : A cryptosystem should be secure even if everything about the system, except the key, is public knowledge

The Short version? It shouldn't matter if a hacker knows how you encrypted something. Even if you used MD5 and i know it... AND I know what the encrypted version of the password looks like it STILL doesn't help me. Why? Because MD5 is a one way transform. All i can do is try random things until it goes through MD5 and ends up looking the same

evant
19 Feb 2013, 5:09 PM
The problem with this question is that the Sencha part is redundant. You're asking how to authenticate a web application. There's an abundance of resources out there on different methods, depending on the security level your app requires.

ronaldmojica
3 Jul 2013, 6:32 PM
It really depends on your requirements.

- You can have an oath authentication and every API call you made to your API resource it requires your Oath token
- Storing session token , much the same with the first scenario

The thing is how can you store those tokens?

- You can append it in the URL
- Store in the browser cookie
- LocalStorage
- FlashCookie

But this things can be accessed by anyone who has access to your computer.