0

I'm dealing with passwords so security is critical.

Here's the flow...

I want to periodically update a user's screen with data I am fetching.

I would use a jquery function and call a smaller php file upon success, but I don't want to pass the user's password in a POST function.

I am assuming that if I call a jquery function from within the PHP function periodically, that would eliminate the issue of passing a password using the post function to php.

Reason I'm passing a password is that I'm using IMAP and have to use a user's password in order to retrieve emails.

Current flow (non secure) 1.) Pass username and password using javascript into PHP function using jquery AJAX and POST variable. My assumption is that this is not secure.

What's the secure solution?

Improve this question
5
  • 2
    Why would you assume that POST is not secure? There are two ways to get data to the server - GET and POST. GET - not secure; POST - more secure. If security is critical then you should be using POST with SSL. Commented Feb 7, 2011 at 22:22
  • 2
    POST is not significantly more secure than GET. It keeps the data out of standard access log files, and (if the data is send as part of a normal form submission) out of the address bar (where is is vulnerable to "I stand behind you and look at your screen" attacks). Commented Feb 7, 2011 at 22:24
  • @David - What I meant by more secure is my Nan couldn't find out my password by looking at the URL. ;) Commented Feb 7, 2011 at 22:28
  • Perhaps I'm reading this wrong, but it sounds like you're just trying to keep the IMAP connection alive when no data is coming in. Have you looked at just logging in once and having the serverside code send noops to keep the connection alive. Then you could terminate it on loggout or when the client connection times out and leave a cookie on the client. Commented Feb 7, 2011 at 23:15
  • No I Haven't. I'm not sure where I'd start with trying to do that. I'm using zend_mail to connect to imap $mail = new Zend_Mail_Storage_Imap(array('host' => 'imap.aol.com', 'user' => 'username', 'password' => 'password', 'ssl' => 'SSL')); What type of code would I need to keep this open? Especially since I'm going back and fourth between the main page & the php page through jquery, also keeping in mind there may be multiple users on the site at once. Commented Feb 7, 2011 at 23:51

2 Answers 2

Reset to default
6

I am assuming that if I call a jquery function from within the PHP function periodically,

PHP runs on the server. It's output (which can include JavaScript) is sent to the client. The JavaScript executes on the client.

Calling JavaScript code from PHP would involve having some sort of JavaScript engine made available to the server (e.g. node.js). Since the password would still be on the client, this wouldn't do you any good.

I would use a jquery function and call a smaller php file upon success, but I don't want to pass the user's password in a POST function.

You have to pass the password at some point. You either pass it every time, or you pass it once, store it in a session, and then pass the session token about (which still gives access to the data but less directly)

What's the secure solution?

Encryption (via HTTPS)

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Okay, so I use SSL (https) and then pass the password back and fourth in a session token, something like $_SESSION['pwd'] or is there something I'm missing? So can I store password in $_SESSION['pwd'] and then pass it back and fourth? Does this pass general security standards?
@Bob. Is there a specific reason why you are passing the password backwards and forwards? Could you not check the password once and then set a SESSION flag to say the password has been checked and validated?
Yes, because in order to open up an IMAP connection in PHP, I need to pass the connection. This is why I considered calling jquery from PHP instead, this way I'd only need to connect to the IMAP once in a PHP form, and then could update the screen by calling jquery from the PHP function. So each time I call a new PHP function, I need the password to open up a new IMAP connection - it's possible I can be wrong and I'm missing a key piece of info, any thoughts would be appreciated.
1

It sounds like you are storing the password on the client and then reusing it for future requests, which is generally a no-no.

Once the user logs in, issue a unique cookie with a cryptographically secure random number as the session ID (most web containers have this kind of functionality built-in). Pass the cookie with your periodic POST.

Improve this answer

4 Comments

And of course, use SSL to do the initial login. Use SSL for everything (even static content) if the data is sensitive.
No, not storing it. It is a one time thing that I want to use. I wish there was a solid encryption/decryption that I could use, but I don't think any of them is worth it, so I'm not even storing passwords. Passwords are user email passwords for IMAP, so in general, I'm more than extremely hesitant about not storing them, so I decided to not store them. - I'm using the password on login to access IMAP or POP3 email from a server - passing it to a function, but not using it after that one time use.
Could you have the server make the IMAP requests and proxy the results to the browser?
perhaps I'm just not sure where to start I'm currently using zend mail. d naul

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.