How to secure a password from being readable at the client?

I need to pass username and password which is at the server to my web chat clients javascript function. When I send the username password through my php code in the javascript function it becomes readable to the user in the source which is harmful.

Please share your solutions.

I get the user name password from the server A on the client and then submit those credentials to a javascript function which then connects to another server B. Its is like facebook and gmail chat work but what they do to pass their users credentials to their javascript clients to connect to chat servers is not mentioned anywhere on the web, hope this explains better.


I assure you this is not how facebook and gtalk do it. Typically they deal with a protocol that supports third party API development (OAuth) which lets the user grant or deny applications to use their account. At no time does the client application know the credentials of the user. This is why OAuth is popular.

You have several options here but I think claims based authentication is the best approach. Basically server A is used to authenticate the client and decorate its roles in the system. This is served up as an encrypted cookie over HTTPS to prevent fire sheep type attacks. Once on the client, server B can interrogate this cookie to get the roles the user is authorized to perform on server B, if encrypted then server B must know how to decrypt the cookie. Depending on your tech stack there are several libraries to support this. Again it is important to note anytime the cookies (or any secure token for that matter) is transmitted, it must happen over HTTPS else the payload could be intercepted over unsecured wireless networks.

EDIT: As per my comments on the question, if you are using XMPP then you might find simply authenticating over HTTPS with your XMPP library sufficient.


不要在Javascript中进行验证 - 在您的PHP代码中进行验证。


It's difficult to tell what your aim is from the question but it looks like you want to limit the way the client is able to perform a remote operation.

Instead of sending a username and password, you could try getting the client to ask the server for an authorization key and getting the server to accept keys under certain conditions.

You could then limit use of the key by:

  • Checking the clients IP address and user agent
  • Allowing the key to be used only once (eg store its use in a database)
  • Allowing the key to be used within a time limit of when it was generated
  • You should always assume any client side operations can be spoofed.

    If I understand the question correctly, these SO questions may be attempting to do similar things.

  • Passing untampered data from Flash app to server?
  • What is the best way to stop people hacking the PHP-based highscore table of a Flash game.
  • Secure Online Highscore Lists for Non-Web Games
  • 链接地址: http://www.djcxy.com/p/94142.html

    上一篇: iPhone Jabber / XMPP客户端...“TURN连接失败”

    下一篇: 如何确保密码不被客户端读取?