What is an ideal for AJAX security?
When creating an XMLHttpRequest, if a HTTPS url asks, then the browser will handle all the certificates business and properly encrypt the request (or use existing authenticated tunnel already)? Is there any safety flaw in this model?
Still have user authentication problems with AJAX. It seems to me that the user can use password encryption to solve all or some of the authentication problems of an AJAX request. I have seen some impressive javascript based encryption tools. It seems that there will be a lot of possibilities to create a system that takes care of both encryption and authentication (host level and app user level). I have not seen anything which seems to have 'made a true effort'.
My question can be expressed in this form:
Thank you, as usual.
Through HTTPS, SSL is a cooperative enterprise with destination server. The destination server will identify it with its identification certificate (sent back to the client). It is part of the protocol that will encrypt the data stream between the client and the server.
However, it only encrypts the stream, it does nothing about many other security issues, the identification and authentication of a user entity requesting through another medium is controlled in other ways. . If you are encrypting the stream with SSL, then it should be safe to use HTTP Basic Proof. After this, the authentication response should be a session ID that will be sent back to the customer who will return it to all requests. Application servers usually manage the creation of those session IDs.
Comments
Post a Comment