提交没有明文密码的 Javascript 表格

Question

I have a username and password stored in a db with 2 way encryption. I would like to use these to log into a site with a JS form like this:

        var form = document.createElement("form");
        form.setAttribute("method", "post");
        form.setAttribute("action", "http://www.someloginscript.com/");
        var f = document.createElement("input");
        f.setAttribute("type", "text");
        f.setAttribute("name", "username");
        f.setAttribute("value", myUser);
        var f1 = document.createElement("input");
        f1.setAttribute("type", "text");
        f1.setAttribute("name", "password");
        f1.setAttribute("value", myPass);
        form.appendChild(field);
        form.appendChild(f1);
        document.body.appendChild(form);
        form.submit();

I would like to submit the form with the password, however to do this I need to decrypt it first. If I decrypt it then the password is visible through the 'Inspect Element' functions. I obviously don't want this.

I have stumbled upon a site called www.clipperz.com which does exactly what I want but I am not sure how. Do I need to implement their open source encryption library from http://sourceforge.net/projects/clipperz/ ? Or is it all smoke and mirrors that makes it appear more secure?

thanks!

edit: I now know that there is no secure way of doing this. Is using curl a more secure way of submitting this form? This way I can keep all the handling of passwords server side?

Answer 1

You haven't specified it exactly, but it sounds like you're trying to use Javascript on one site to automate a login process into another site? Is that correct? It also sounds like you want to use a general login for all users, which you need to prevent the users from seeing.

I don't think this will be workable in the way you're trying to do it. The problem is that the user on the browser has complete access to the Javascript code and all the data it uses, via tools like Firebug. Using these tools, he can even go as far as modifying the code after the page has loaded.

In short, there is no way of letting Javascript handle the data without giving the user the ability to see it.

I would suggest a better approach might be something as follows:

• Site 1 sends a message to Site 2, informing it that it wants to log in a user. It tells it the users IP address, the login details it wants to use and other relevant details.

• Site 2 responds to Site 1 with a token code which Site 1 then sends to the user's browser.

• The Javascript code on the user's browser then posts the token to Site 2 instead of a login name and password.

• Site 2 recognises it as the token it just gave to Site 1, and that it has come from the IP address it was told about, and logs the user in as if it had received a normal set of login details.

This process obviously requires you to write code on both Site 1 and Site 2, so you have to have full access to both of them. If Site 2 is a third party system, then you may have to come up with something else.

Answer 2

Whatever information you end up sending to the third-party site, will have to be made available to the user's browser at some point - and at that point they'll be able to inspect it and get the information out.

Alternatively, they could look at the HTTP requests being made from their machine.

The point is, information on the user's machine can't be hidden from the user if it needs to be in a decrypted state on their machine at any point.