• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Encode and decode password

Explorer ,
Sep 07, 2013 Sep 07, 2013

Copy link to clipboard

Copied

In my LOGIN and LOGOUT module I am calling a cfc method using javascript ajax. But I want to pass password after encoding.

Is there any way to encode the password to be send to CFC method so that I should be able to decode the same also in the CFC method.

My javascript code is like below.

xmlhttp.open("POST","cfc/useraccess.cfc?method=checkUserAccess&username="+username+"&password="+password,true);

xmlhttp.send();

I want to pass this password in encoded form.

Any one have any idea on this.

Your help is well appreciated.

Views

1.5K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Sep 07, 2013 Sep 07, 2013

Copy link to clipboard

Copied

Well, first of all, it would be best to wrap your entire path in a URLEncodedFormat().  This ensures that any special characters in either the hashed PW or the UN are URL-friendly.

What I would do is set a variable into your APPLICATION scope that is a seed.  When you pass the password, use Encrypt on it with the seeded value.  This way, when your CFC gets the request, it can use Decrypy, and has access to the seed value in the APPLICATION scope in order to determine the actual value passed by the user, and perform authentication at that point.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 11, 2013 Sep 11, 2013

Copy link to clipboard

Copied

Thanks Aegis for your response...

What I understood here is , I need to encrypt the password using javascript then append the APPLICATION scoped seed value with that encrypted password.right?????..... If this is what you meant to say then I have a question here.

1] Can we decrypt the password in CFC , because we are encrypting it with javascript. ? If so could you please help me how can I achieve this.?

Please correct me If I took it ,what you were trying to convince , in different sense.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Sep 13, 2013 Sep 13, 2013

Copy link to clipboard

Copied

I don't think you want to urlencode the entire path, only the variable values of username and password.

Security wise, you might want to put a little more thought into alternatives. Two issues that come up immediately in my mind:

  1. Even encrypted, the password is still usable by the intended user and anyone that can get to the browser cache. To mitigate this you'll want the encryption seed to be short lived and/or put a timestamp in the password and don't accept passwords that exceed some period.
  2. If you must comply with any sort of security program (like PCI), most scanners and assessors will red flag code like this because it is unsafe -- even with short lived seeds.

That said, can this be tied to session security instead of URL query parameters?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 16, 2013 Sep 16, 2013

Copy link to clipboard

Copied

LATEST

Hi Steve,

Thanks for this information. Can you please elaborate a little about this session security.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation