提交没有明文密码的 Javascript 表单
我有一个用户名和密码存储在具有两种方式加密的数据库中。我想使用这些来登录具有 JS 表单的网站,如下所示:
var form = document.createElement("form");
form.setAttribute("method", "post");
form.setAttribute("action", "http://www.someloginscript.com/");
var f = document.createElement("input");
f.setAttribute("type", "text");
f.setAttribute("name", "username");
f.setAttribute("value", myUser);
var f1 = document.createElement("input");
f1.setAttribute("type", "text");
f1.setAttribute("name", "password");
f1.setAttribute("value", myPass);
form.appendChild(field);
form.appendChild(f1);
document.body.appendChild(form);
form.submit();
我想提交带有密码的表单,但是要做到这一点,我需要先解密它。如果我解密它,则可以通过“检查元素”功能看到密码。我显然不想要这个。
我偶然发现了一个名为 www.clipperz.com 的网站,它完全符合我的要求,但我不确定如何实现。我是否需要从 http://sourceforge.net/projects/clipperz/ ?还是这一切都是雾里看花,让它看起来更安全?
谢谢!
编辑:我现在知道没有安全的方法可以做到这一点。使用curl 是提交此表单的更安全的方式吗?这样我就可以保留服务器端的所有密码处理吗?
I have a username and password stored in a db with 2 way encryption. I would like to use these to log into a site with a JS form like this:
var form = document.createElement("form");
form.setAttribute("method", "post");
form.setAttribute("action", "http://www.someloginscript.com/");
var f = document.createElement("input");
f.setAttribute("type", "text");
f.setAttribute("name", "username");
f.setAttribute("value", myUser);
var f1 = document.createElement("input");
f1.setAttribute("type", "text");
f1.setAttribute("name", "password");
f1.setAttribute("value", myPass);
form.appendChild(field);
form.appendChild(f1);
document.body.appendChild(form);
form.submit();
I would like to submit the form with the password, however to do this I need to decrypt it first. If I decrypt it then the password is visible through the 'Inspect Element' functions. I obviously don't want this.
I have stumbled upon a site called www.clipperz.com which does exactly what I want but I am not sure how. Do I need to implement their open source encryption library from http://sourceforge.net/projects/clipperz/ ? Or is it all smoke and mirrors that makes it appear more secure?
thanks!
edit: I now know that there is no secure way of doing this. Is using curl a more secure way of submitting this form? This way I can keep all the handling of passwords server side?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您没有具体指定,但听起来您正在尝试在一个站点上使用 Javascript 来自动登录到另一个站点?这是正确的吗?听起来您还想对所有用户使用通用登录,您需要防止用户看到。
我认为这不会以您尝试的方式可行。问题在于浏览器上的用户可以通过 Firebug 等工具完全访问 Javascript 代码及其使用的所有数据。使用这些工具,他甚至可以在页面加载后修改代码。
简而言之,没有办法让 Javascript 处理数据而不让用户能够查看数据。
我建议更好的方法可能如下:
站点 1 向站点 2 发送一条消息,通知它想要登录用户。它告诉它用户的 IP 地址、想要使用的登录详细信息以及其他相关详细信息。
站点 2 使用令牌代码响应站点 1,然后站点 1 将
然后,用户浏览器上的 Javascript 代码将令牌而不是登录名和密码发布到站点 2。
站点 2 将其识别为刚刚提供给站点 1 的令牌,并且该令牌来自被告知的 IP 地址,并让用户登录,就像收到了一组正常的登录详细信息一样。
此过程显然需要您在站点 1 和站点 2 上编写代码,因此您必须对这两个站点都具有完全访问权限。如果站点 2 是第三方系统,那么您可能必须想出其他办法。
You haven't specified it exactly, but it sounds like you're trying to use Javascript on one site to automate a login process into another site? Is that correct? It also sounds like you want to use a general login for all users, which you need to prevent the users from seeing.
I don't think this will be workable in the way you're trying to do it. The problem is that the user on the browser has complete access to the Javascript code and all the data it uses, via tools like Firebug. Using these tools, he can even go as far as modifying the code after the page has loaded.
In short, there is no way of letting Javascript handle the data without giving the user the ability to see it.
I would suggest a better approach might be something as follows:
Site 1 sends a message to Site 2, informing it that it wants to log in a user. It tells it the users IP address, the login details it wants to use and other relevant details.
Site 2 responds to Site 1 with a token code which Site 1 then sends to the user's browser.
The Javascript code on the user's browser then posts the token to Site 2 instead of a login name and password.
Site 2 recognises it as the token it just gave to Site 1, and that it has come from the IP address it was told about, and logs the user in as if it had received a normal set of login details.
This process obviously requires you to write code on both Site 1 and Site 2, so you have to have full access to both of them. If Site 2 is a third party system, then you may have to come up with something else.
无论您最终发送到第三方网站的信息是什么,都必须在某个时刻提供给用户的浏览器 - 那时他们将能够检查它并获取信息。
或者,他们可以查看从他们的机器发出的 HTTP 请求。
关键是,如果用户计算机上的信息需要在任何时候都处于解密状态,则无法对用户隐藏该信息。
Whatever information you end up sending to the third-party site, will have to be made available to the user's browser at some point - and at that point they'll be able to inspect it and get the information out.
Alternatively, they could look at the HTTP requests being made from their machine.
The point is, information on the user's machine can't be hidden from the user if it needs to be in a decrypted state on their machine at any point.