Node.js, socket.io and mongojs - Login form with socket.io
Question
I am currently creating a small chat application on node.js using mongojs , I have a mongo collection of users with a username, password and name fields. The application uses socket.io to send the data real time and then authenticating the user and letting him use the application if the auth is correct.
However, I don't want to send the password on plain text, is there any way of encrypting the password on the client side? Or any better way to do this? I have thinking of using this on a separate page, but I need to do this on Single page.
Here is my client side code:
function loginUser(){
console.log("Login User");
username = $('#login-username').val();
password = $('#login-password').val();
//VALIDATIONS
socket.emit('auth-user', {"username": username, "password": password});
return false;
}
2 answers
solution1
2 ACCPTED 2013-11-16 21:10:25
I would strongly recommend against client-side encryption of your passwords.
If you are hashing before the password is sent, then you will have to store the hash of their password as is (or you could hash it again, which is equally useless). But unless you set up a public/private key system to decrypt them server-side, then RE-hash them with a separate hashing algorithm, then you will have absolutely zero added benefit.
I do not know of any major sites that encrypt client side, because the accepted norm is to use HTTPS, since it allows ALL of your outgoing data to be encrypted, by being sent on top of SSL/TCP protocol.
It's important to note that socket.io is not insecure, as you seem to be assuming it is; it follows basic internet protocol, and will be equally as safe as any other site's login that isn't using https. Just something to consider.
solution2
0 2013-11-16 21:10:07
Hmm... Very good question. I have never used socket.io with authentications before.
But it seems like passport , passport for socket.io , is the Socket IO's preferred way of handling authentication based on their wiki . I wasn't able to find anything about whether passport is encrypting the data, but it is at least using the POST call.
At the end of the
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.