I'm building a Google App Engine web app, with a Java back end, that relies heavily on JavaScript/JQuery in the browser (you can see it here ).
I want to implement a user authentication mechanism, that will also rely on AJAX (ie. they will be able to register and login without a page refresh).
I don't want to rely on Google's authentication because I've found that a lot of people are reluctant to give up their GMail email addresses, but I would like to support authentication via Google/Facebook/Twitter etc in future.
I like the simplicity of Reddit's approach to user authentication.
My concern is that since people won't be using my app over HTTPS, I don't want to have to send a password in clear-text over HTTP. I would also prefer to rely on some kind of secret token (perhaps a hash of the password and some server-provided "salt"), which could be intercepted and spoofed.
At the same time, I don't want to have to put a huge amount of effort into implementing the authentication mechanism.
Is there an approach that gives me the simplicity I want, yet which is secure over HTTP?
edit: I just realized that Google App Engine does support HTTPS but only if you connect via the *.appspot.com URL for your site. Unfortunately you can't do AJAX calls to this due to cross-site scripting restrictions - although I guess it may be possible with JSONP.
So, is using JSONP+HTTPS+*.appspot.com the best approach here?
Source: Tips4all
You must use https for secure communication via http. There is no way to do secure communication from a browser without it.
ReplyDeleteIf you use JSONP + https on the appspot domain, your users will not see that your site is secure, and you will not be able to save cookies in a secure manner. For us, the only solution was to expose the ugly appspot.com domain directly to our customers. Google has been saying for a long time that SSL on custom domains is coming, but there's no date.
Edit for PS: if you don't need your customers to see a green https, and don't need to save cookies in a secure manner (maybe instead a secure-by-obscurity session key?), jsonp + https to *.appspot.com sounds like a clever solution that would work.
Its really a good question and really need some in depth knowledge of cryptography.. This is an article i found interesting a couple of month ago.. They have a proposed solution using CRAM-MD5 a challenge-response authentication. Hope this could be helpful.
ReplyDeletehttp://en.wikipedia.org/wiki/CRAM-MD5
http://blog.stochastictechnologies.com/secure-authentication-over-http
Regards.