Sessionless Security
Posted: Sun Oct 26, 2008 2:59 pm
I'm building (mostly as a personal project) a small site that allows me to maintain an organized list of things. There are three pages: login, settings, manage list. Normally what I do is have the login page start a session with the username, and pertinent data in it upon validation of the login information. However, I'm toying with simply requiring a password every time you change anything, and using javascript to remember the validated username from the login page. So, in effect, to get past the login page, you need a username and password. To change your settings page, you need just the right password, likewise for the management page. The only security weakness I could think of with this system is that a packet sniffer could pick up plaintext passwords as they're sent to the server using ajax. So, I hash the password client side before it's sent to the server.
Is there anything inherently insecure* with doing things this way? If so, are there steps I can take to make it secure, or is a session really the best option?
*Granted it's not very user friendly (password every time I change something? BAH), but I don't anticipate users changing anything more than once a month or so.
Is there anything inherently insecure* with doing things this way? If so, are there steps I can take to make it secure, or is a session really the best option?
*Granted it's not very user friendly (password every time I change something? BAH), but I don't anticipate users changing anything more than once a month or so.