I have an invite form on a web application I am working on. This invite form requires the user to select an email account and then enter a username and a password. These details are sent as POST variables via an ajax request using jQuery. The problem is that I can see the entered password (as well as other POST variables) in plain text using mozilla plugin FireBug.
I believe being able to see the password in plain text (in Firebug) is not ideal. Is there anyway I can prevent this? I tried making the ajax call FROM a page served over HTTPS and made the request over HTTPS as well but I can still see all the POST variables in plain text in Firebug.
Is there some way I could encrypt these variables client-side and then decrypt them on the server-side? Or is there some other solution?
GET vs POST in AJAX callsUnless you are sending sensitive data to the server or calling scripts which are processing data on the server it is more common to use GET for AJAX calls. This is because when using XMLHttpRequest browsers implement POST as a two-step process (sending the headers first and then the data).
Since AJAX calls are encrypted with a session key, AJAX queries cannot be sent directly to the server. If an attempt is made to send queries directly, the response given by the page will be "Forbidden," as the page expects to receive encrypted text in the AJAX call.
processData. If set to false it stops jQuery processing any of the data. In other words if processData is false jQuery simply sends whatever you specify as data in an Ajax request without any attempt to modify it by encoding as a query string.
The application uses the attributes of the f:ajax tag listed in Table 11-1 to create the Ajax request.
If you're using HTTPS, there's no need to worry (as long as HTTPS is properly setup, but this isn't relevant to this question).
You can see the values in Firebug because Firebug can see the headers sent by your browser, but no one except the browser can read these data.
Actually, you can't hide the value from Firebug, because the browser has to know what to send and Firebug can access everything your browser can.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With