stackoom
  简体   繁体   中英

Can a client-side login be safe?

 原文  2018-09-26 09:32:04       javascript/ security/ login

Question

Could a client-side login to some page, eg example.html, be made safe through use of hashing etc.? I am asking mostly out of curiosity, but there might be some use-cases for things like a CMS for GitHub Pages or any arbitrary serverless application that resides inside the browser but needs a way to authenticate a user.

For example, if you have file x.txt where a salted hash of the password is stored and you compare the input of the password with it, you would have decent security in itself, if the password is strong enough of course. But since some dude with bad intentions could just remove your JavaScript, it would be worthless since the authentification can just be bypassed.

What I thought of would be to store a cookie with the password hash and only display sites where no login is needed. If one is needed, just display blank. Yet again, js could just be removed and it is therefor useless.

2 answers

solution1
 2  2018-09-26 09:51:48

It's great if you know who someone is (authentication), but what you ultimately want is to selectively prevent or allow access to specific information ( authorisation ). If you're doing authorisation client-side, the server will have to divulge all information to the client, and the client selectively decides which information to show or hide. Well, but the information is already on the client, and there's no technical possibility to prevent a user from accessing it, even if it's "behind the scenes".

So even if purely client-side authentication was possible (it isn't, for the same reasons), you will ultimately fail at client-side authorisation either way.

solution2
 1 ACCPTED  2018-09-26 10:05:13

But since some dude with bad intentions could just remove your JavaScript, it would be worthless since the authentication can just be bypassed

Exactly. If the hidden information is already on the client, a malicious user can programmatically bypass the logic to access it.

To fix this, you would need to store hidden information on a server, where it requires a certain credential to access it.

The simplest way around this, without hosting your own server (AFAIK) is Firebase Authentication . Place your hidden stuff on Firebase and leverage on their authentication (Sign in with Google).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can't login to Instagram using Client-Side (Implicit) Authentication How safe is client-side HTML Sanitization? Implementing client-side ajax login, is it safe to logout using ajax or do I need to refresh? PHP Secure Login - Client-side options? Is it safe to use my Flickr API key in client-side JavaScript? Is it safe to use eval for a client-side JavaScript calculator Updating and adding this new Document in Firestore client-side is safe or not? Is AJAX jquery post data safe for browser/client-side manipulation PayPal Checkout: Is it safe to receive a payment with only client-side code? How do I validate a client-side google+ login?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM