Skip navigation
Abdul L Koyappayil
Currently Being Moderated

Encode and decode password

Sep 7, 2013 9:00 AM

In my LOGIN and LOGOUT module I am calling a cfc method using javascript ajax. But I want to pass password after encoding.

 

Is there any way to encode the password to be send to CFC method so that I should be able to decode the same also in the CFC method.

 

My javascript code is like below.

 

xmlhttp.open("POST","cfc/useraccess.cfc?method=checkUserAccess&usernam e="+username+"&password="+password,true);

xmlhttp.send();

 

I want to pass this password in encoded form.

 

Any one have any idea on this.

 

Your help is well appreciated.

 
Replies
  • Currently Being Moderated
    Sep 7, 2013 10:11 AM   in reply to Abdul L Koyappayil

    Well, first of all, it would be best to wrap your entire path in a URLEncodedFormat().  This ensures that any special characters in either the hashed PW or the UN are URL-friendly.

     

    What I would do is set a variable into your APPLICATION scope that is a seed.  When you pass the password, use Encrypt on it with the seeded value.  This way, when your CFC gets the request, it can use Decrypy, and has access to the seed value in the APPLICATION scope in order to determine the actual value passed by the user, and perform authentication at that point.

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 13, 2013 8:25 AM   in reply to Aegis Kleais

    I don't think you want to urlencode the entire path, only the variable values of username and password.

     

    Security wise, you might want to put a little more thought into alternatives. Two issues that come up immediately in my mind:

     

    1. Even encrypted, the password is still usable by the intended user and anyone that can get to the browser cache. To mitigate this you'll want the encryption seed to be short lived and/or put a timestamp in the password and don't accept passwords that exceed some period.
    2. If you must comply with any sort of security program (like PCI), most scanners and assessors will red flag code like this because it is unsafe -- even with short lived seeds.

     

    That said, can this be tied to session security instead of URL query parameters?

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points