What is the simplest secure way to authenticate users via AJAX?

Question

I'm building a Google App Engine web app, with a Java back end, that relies heavily on JavaScript/JQuery in the browser (you can see it here).

I want to implement a user authentication mechanism, that will also rely on AJAX (ie. they will be able to register and login without a page refresh).

I don't want to rely on Google's authentication because I've found that a lot of people are reluctant to give up their GMail email addresses, but I would like to support authentication via Google/Facebook/Twitter etc in future.

I like the simplicity of Reddit's approach to user authentication.

My concern is that since people won't be using my app over HTTPS, I don't want to have to send a password in clear-text over HTTP. I would also prefer to rely on some kind of secret token (perhaps a hash of the password and some server-provided "salt"), which could be intercepted and spoofed.

At the same time, I don't want to have to put a huge amount of effort into implementing the authentication mechanism.

Is there an approach that gives me the simplicity I want, yet which is secure over HTTP?

edit: I just realized that Google App Engine does support HTTPS but only if you connect via the *.appspot.com URL for your site. Unfortunately you can't do AJAX calls to this due to cross-site scripting restrictions - although I guess it may be possible with JSONP.

So, is using JSONP+HTTPS+*.appspot.com the best approach here?

Answer 1

You must use https for secure communication via http. There is no way to do secure communication from a browser without it.

If you use JSONP + https on the appspot domain, your users will not see that your site is secure, and you will not be able to save cookies in a secure manner. For us, the only solution was to expose the ugly appspot.com domain directly to our customers. Google has been saying for a long time that SSL on custom domains is coming, but there's no date.

Edit for PS: if you don't need your customers to see a green https, and don't need to save cookies in a secure manner (maybe instead a secure-by-obscurity session key?), jsonp + https to *.appspot.com sounds like a clever solution that would work.