how to send password to the server securely using ajax and javascript

Question

0.00/5 (No votes)

See more:

in order to protect password I need to send password to the server securely but not to use SSL or HTTPS.

also I use AjaxPro to send data to the server.

Here is javascript code :

JavaScript

function checkPW(username, password)
{
//here I think password needs to be code
     var res = AjaxMethods.Login(username, password)
}

Here is c# code

C#

[AjaxMethod()]
public bool Login(string username, string password)
{
//here I think password needs to be decode
      return ChekingUsernameAndPassword(username, password);
}

Thanks in advance.
Regards Jamal.

Posted 10-Jan-12 21:32pm

Jamal Seyedi

Updated 10-Jan-12 21:33pm

v2

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

HaBiX · Answer 1 · 2012-01-10T22:14:00

Solution 1

If you're limited to javascript on client side then it will never be secure unless you're using SSL.

You could try some javascript encryption libs (but that will only seem like its secure)

Posted 10-Jan-12 22:14pm

HaBiX

Comments

Jamal Seyedi 11-Jan-12 4:42am

of course i am limited I am looking for some javascript encryption libs that I can decrypt it on server.

Tech Code Freak 11-Jan-12 4:51am

My 5!

Al Moje 12-Jan-12 1:48am

Hi,Suggesting you to do it in code behind. See my sample coding...

Al Moje · Answer 2 · 2012-01-10T22:39:00

Hi,

C#

// I am not infavor of passwords is reversible... (encrypt/decrypt)
// I store password as bytes in table (users) then  
// if ever retrieve it and compare as a bytes...
// Neglecting a down voting…
// So here is it...
private static byte[] encrypt(string dat)
{
   System.Security.Cryptography.MD5CryptoServiceProvider md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
   byte[] bytes = System.Text.Encoding.ASCII.GetBytes(dat);
   bytes = md5.ComputeHash(bytes);
   return bytes;
}

Regards,

Al Moje · Answer 3 · 2012-01-11T19:50:00

Hi,

See this sample code behind code:

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
using System.Data;

public class User
{
    public User()
    { }

    public string UserId { get; set; }
    public string UserName { get; set; }
    public string PayorCode { get; set; }
    public string Application { get; set; }
    public string AccessLevel { get; set; }
    public string ActivationDate { get; set; }
    public string CreatedBy { get; set; }
    public string Pwd { get; set; }
    public string Status { get; set; }
}

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void btnLogin_Click(object sender, EventArgs e)
    {
        User user = new User();
        user.UserId = this.txtUserId.Text;
        user.CreatedBy = this.txtUserId.Text;
        user.Pwd = this.txtPassword.Text;
        user.UserName = "Algem";
        user.PayorCode = "FWB";
        user.Application = "XP";
        user.AccessLevel = "admin";
        user.Status = "Y";

        var pwd = Encrypt(user.Pwd, 14);
        user.Pwd = pwd;
        //var ok = InsertNewUser( user);
        var userCredential = GetUserCredential(user.UserId, user.Pwd);
        if (userCredential.UserId == null)
        {
           lblValidation.Text  = "Invalid UserID or Password";
        }
        else if (user.Status != "Y")
        {
            lblValidation.Text = "Account is not yet activated";
        }
        else
        {
            lblValidation.Text = "Authenticated user.  Go to main menu...";
            // goto main menu...
        }
    }
    public bool InsertNewUser(User user)
    {
        SqlCommand cmd = new SqlCommand();
        bool success = true;
        string sql = string.Empty;
        try
        {
            SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["SQLConnection"].ToString());
            conn.Open();

            sql = "INSERT INTO users(UserId, UserName, Pwd, PayorCode, Application, AccessLevel,"
                + "Status,CreatedBy, ActivationDate) "
                + "VALUES("
                + "GetDate()) ";
            using (cmd = new SqlCommand(sql, conn))
            {
                cmd.CommandType = CommandType.Text;
                cmd.CommandText = sql;
                cmd.ExecuteNonQuery();
            }
        }
        catch (Exception)
        {
            throw;
        }
        finally
        {
            cmd.Parameters.Clear();
            cmd.Dispose();
        }
        return success;
    }
    private User GetUserCredential(string userId, string pwd)
    {
        SqlCommand cmd = new SqlCommand();
        SqlConnection conn = new SqlConnection();
        string UserSqlConnection = ConfigurationManager.ConnectionStrings["SQLConnection"].ToString();
        string qry = "SELECT * FROM [TestDB].[dbo].[users] where UserId = '" + userId + "' and Pwd = '" + pwd + "'";

        User user = new User();
        try
        {
            using (conn = new SqlConnection(UserSqlConnection))
            {
                conn.Open();

                using (cmd = new SqlCommand(qry, conn))
                {
                    cmd.CommandType = CommandType.Text;
                    using (SqlDataReader dr = cmd.ExecuteReader())
                    {
                        if (dr.Read())
                        {
                            user.UserId = dr["UserId"].ToString();
                            user.UserName = dr["UserName"].ToString();
                            user.PayorCode = dr["PayorCode"].ToString();
                            user.AccessLevel = dr["AccessLevel"].ToString();
                            user.Application = dr["Application"].ToString();

                        }
                    }
                }
            }
        }
        catch (Exception ex)
        {
            throw ex;
        }
        return user;
    }
    private static string Encrypt(string dat, int keyNumber)
    {
        System.Security.Cryptography.MD5CryptoServiceProvider md5 = 
            new System.Security.Cryptography.MD5CryptoServiceProvider();
        byte[] bytes = System.Text.Encoding.ASCII.GetBytes(dat);
        bytes = md5.ComputeHash(bytes);
        string pwd = string.Empty;
        var arry = bytes.ToList();
        for (int i = 0; i < arry.Count; i++)
        {
            try
            {
                pwd += (arry[i] / keyNumber).ToString();
            }
            catch (Exception)
            {
                throw;
            }
        }
        return pwd;
    }
}

how to send password to the server securely using ajax and javascript

3 solutions

Solution 1

Solution 2

Solution 3

Add your solution here

Preview 0