4 Replies Latest reply: Sep 16, 2013 8:49 PM by Abdul L Koyappayil RSS

    Encode and decode password

    Abdul L Koyappayil Community Member

      In my LOGIN and LOGOUT module I am calling a cfc method using javascript ajax. But I want to pass password after encoding.

       

      Is there any way to encode the password to be send to CFC method so that I should be able to decode the same also in the CFC method.

       

      My javascript code is like below.

       

      xmlhttp.open("POST","cfc/useraccess.cfc?method=checkUserAccess&username="+username+"&password="+password,true);

      xmlhttp.send();

       

      I want to pass this password in encoded form.

       

      Any one have any idea on this.

       

      Your help is well appreciated.

        • 1. Re: Encode and decode password
          Aegis Kleais Community Member

          Well, first of all, it would be best to wrap your entire path in a URLEncodedFormat().  This ensures that any special characters in either the hashed PW or the UN are URL-friendly.

           

          What I would do is set a variable into your APPLICATION scope that is a seed.  When you pass the password, use Encrypt on it with the seeded value.  This way, when your CFC gets the request, it can use Decrypy, and has access to the seed value in the APPLICATION scope in order to determine the actual value passed by the user, and perform authentication at that point.

          • 2. Re: Encode and decode password
            Abdul L Koyappayil Community Member

            Thanks Aegis for your response...

             

            What I understood here is , I need to encrypt the password using javascript then append the APPLICATION scoped seed value with that encrypted password.right?????..... If this is what you meant to say then I have a question here.

             

            1] Can we decrypt the password in CFC , because we are encrypting it with javascript. ? If so could you please help me how can I achieve this.?

             

            Please correct me If I took it ,what you were trying to convince , in different sense.

            • 3. Re: Encode and decode password
              Steve Sommers Community Member

              I don't think you want to urlencode the entire path, only the variable values of username and password.

               

              Security wise, you might want to put a little more thought into alternatives. Two issues that come up immediately in my mind:

               

              1. Even encrypted, the password is still usable by the intended user and anyone that can get to the browser cache. To mitigate this you'll want the encryption seed to be short lived and/or put a timestamp in the password and don't accept passwords that exceed some period.
              2. If you must comply with any sort of security program (like PCI), most scanners and assessors will red flag code like this because it is unsafe -- even with short lived seeds.

               

              That said, can this be tied to session security instead of URL query parameters?

              • 4. Re: Encode and decode password
                Abdul L Koyappayil Community Member

                Hi Steve,

                 

                Thanks for this information. Can you please elaborate a little about this session security.