Copy link to clipboard
Copied
In my LOGIN and LOGOUT module I am calling a cfc method using javascript ajax. But I want to pass password after encoding.
Is there any way to encode the password to be send to CFC method so that I should be able to decode the same also in the CFC method.
My javascript code is like below.
xmlhttp.open("POST","cfc/useraccess.cfc?method=checkUserAccess&username="+username+"&password="+password,true);
xmlhttp.send();
I want to pass this password in encoded form.
Any one have any idea on this.
Your help is well appreciated.
Copy link to clipboard
Copied
Well, first of all, it would be best to wrap your entire path in a URLEncodedFormat(). This ensures that any special characters in either the hashed PW or the UN are URL-friendly.
What I would do is set a variable into your APPLICATION scope that is a seed. When you pass the password, use Encrypt on it with the seeded value. This way, when your CFC gets the request, it can use Decrypy, and has access to the seed value in the APPLICATION scope in order to determine the actual value passed by the user, and perform authentication at that point.
Copy link to clipboard
Copied
Thanks Aegis for your response...
What I understood here is , I need to encrypt the password using javascript then append the APPLICATION scoped seed value with that encrypted password.right?????..... If this is what you meant to say then I have a question here.
1] Can we decrypt the password in CFC , because we are encrypting it with javascript. ? If so could you please help me how can I achieve this.?
Please correct me If I took it ,what you were trying to convince , in different sense.
Copy link to clipboard
Copied
I don't think you want to urlencode the entire path, only the variable values of username and password.
Security wise, you might want to put a little more thought into alternatives. Two issues that come up immediately in my mind:
That said, can this be tied to session security instead of URL query parameters?
Copy link to clipboard
Copied
Hi Steve,
Thanks for this information. Can you please elaborate a little about this session security.