2

What I am attempting to do is build a javascript library that will take an authenticated user on an external website and securely pass a few pieces of identifying information to my server to retrieve web content which will then be served up in an iframe on the external site.

Now, my problem is that Javascript is not secure. Which is actually a big problem.

Assumptions

  1. The companies that own the external sites may have little to no IT infrastructure.
  2. I will not have access to their servers or code. For this reason, I'd just like to have them toss a javascript include and a few lines of html/javascript on the page.
  3. The external site can be in any language and hosted on any platform. My backend is .net 4.0

How do I securely get user details from the external server to my server while ensuring tampering is not going on? Any suggestions or ideas are welcome.

Improve this question

2 Answers 2

Reset to default
3

As far as I can see, this cannot be done using pure JavaScript.

You will always have to talk to the remote server and ask it whether the user is actually really logged on. Anything you get from JavaScript is unreliable, as it can be freely forged.

You could have the remote server serve a random token to the JavaScript that it in turn sends to your server (just like a session ID). Your server could then ask the remote server whether the token is valid, and display the necessary data.

It won't work without some involvement with the remote server, though. No way around that.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks. That is what I was afraid of. I believe that I am going to have to present some sort of challenge instead of authing the user automatically.
@Josh you could do the authentication on your server, couldn't you? Simple HTTP auth would be easy - just serve something like an <img> tag pointing to a protected area on your server to cause the browser to pop up the authentication dialog on the 3rd party site. Session authentication is a few more steps but possible, too
I could. This is going to extend functionality of our current site out to third parties. Then they won't have to forward users off their site to use our service. Ideally, the user would only have to sign in once, and I would use the existing authentication of my site (forms auth) and just automatically set the auth cookie. But, with the requirements presented I think you are right; automatic authentication is just not secure in this case.
@Josh yup, it never will be. But an authentication that seems to be running on the client's site, but in fact runs through your service, should be reasonably simple to implement.
1

The most secure way doing that is using flash. and It isn't so secured also.

The problem with JavaScript is that every input output from the user is available and since the user can see the source file (whatever the place that they are stored) you cannot hash those file.

You can use flash file as buffer. The remote server send the data to the JavaScript and the JavaScript send it to flash. since flash source code is not available without using decompile. the flash is getting the data and sending the data to your server hashed.

See how flxhr is working for more reference: http://flxhr.flensed.com/

Improve this answer

3 Comments

Thanks for the suggestion, Ran. I didn't even consider flash as an option.
@Josh Flash has the same inherent security problems as JavaScript has: Traffic can be eavesdropped on using a packet sniffer, and altered. As long as it's not encrypted using SSL or something, it is not safe. Pure hashing is not a secure option.
@Pekka - I know how easy it is to decompile, plus I don't have access to any of the flash tools. It's an interesting thought, but I might as well go with Javascript.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.