Javascript hashing in AJAX login calls, more security?

Question

From a lot of posts I've seen on the site, logins performed by AJAX or traditional forms are just as secure as one another. (re: Login/session cookies, Ajax and security Ajax login and javascript cookies, is this secure?)

My question(s) is/are:

1. If I hash the user's password (via client-side/javascript hash libraries) before I send it to the server, do I increase security from people easedropping?

2. If I put a form token (one random based, another time based), does that cover CSRF attacks?

3. Would I have all my bases covered after all this? Would this form be secure?

Answer 1

Actually this could be a major security problem. The reason why passwords are hashed is a means of planning on failure. An attacker might gain access to the data store (sql injection) and then obtain the hash. If you are just logging in with a hash, then the attacker doesn't have to crack the recovered hash in order to gain access to the application.

Replay attacks are also a problem. If I sniff the hash during authentication, whats stopping me from just replaying that request to authenticate?

Protocols that use message digest functions for authentication provide the client with a nonce, which is used as a one time salt. Microsoft's SMB NTLM authentication is a good example, but it has had a lot of problems.

USE SSL, and not just for login. OWASP A9 states that the session id must never be leaked over an insecure channel. After all who cares about the password if you just spill the real authentication credentials a few milliseconds later.

Most people don't implement CSRF protection for login. After all the attacker would have to know the password in the first place, so "session riding" is a moot point.

Answer 2

A slight aside, but in answer to question 3. NO! Also remember that AJAX and standard forms are also just as insecure as one another.

Implementing secure authentication is hard. Unless you are doing it as an academic exercise, i would strongly recommend using the library provided by your framework, if you are lucky enough to have a good one.

You will also need to consider things such as the following, and more.

• Implement a suitably random and unguessable session id for use in the session cookie.
• Do not allow the session id to be forced.
• When permissions or credentials are changed (e.g. because the user has now logged in or out) then immediately invalidate the session and start a fresh one.
• Provide a logout feature, and be sure to invalidate the session upon logout.
• Set the cookie to HttpOnly -Preferably require HTTPS and alo set the cookie to secure only.
• Consider restricting the session validity to include checking some other information that helps to match the user e.g. user-agent.
• Always expire sessions after non-use and do not implement "keep me logged in" by reconnecting the user to their old http session.
• Ensure 2 sessions can't have the same session id at the same time
• Ensure that all session data is destroyed when a session is invalidated. A new user coming along, may just happen to get assigned a session id that has been used previously. This new session must not have any access to session data that has been set previously against that session id.