[Cosmo-dev] CMP and AJAX
Matthew Eernisse
mde at osafoundation.org
Thu Sep 21 16:47:11 PDT 2006
The biggest problem does seem to be creditials on the client. Comments
inline.
Travis Vachon wrote:
> We'd like to make things AJAX-y, which means storing the password so
> that JavaScript can get access to it. Two solutions immediately come to
> mind:
>
> a) Have the server inject credentials into a page so that the client can
> then send them to the CMP server.
> + Easy
> - Credentials end up in browser cache (!!!)
> - Credentials frequently sent across wire
There is a certain level of silliness in having the server send the
client the password to send back to itself. And I guess you'd have to
use the session to get the password to supply to the client.
> b) Have the client store credentials in a transient (session) cookie
> when the user logs in.
> + As far as I can tell, credentials never written to disk
> + Credentials never sent across wire except when needed to authenticate
> to CMP
> - Maybe a little trickier (but not really)
The cookie option is probably even worse than a JS variable, since
cross-site shenanigans could in theory give malicious people access to
that cookie. There's also a nice GUI you can use to look at all the
cookies set in a browser. Poking around for a variable with a JS shell
would at least require some facility with programming and knowledge of
the source code.
Matthew
More information about the cosmo-dev
mailing list