PART II
Chapter 7: Security Concerns 309
any script downloaded can be reversed and, as you will see later, potentially even hijacked,
this may not be appropriate security for highly sensitive data. However, we do provide a
demonstration of an Ajax-focused SSL system written in JavaScript known as aSSL at
http://dotnet.ajaxref.com/assl/authenticationassl.asp. When you look at this example,
note the encryption of the POST data as shown:Do note that this is just a proof of concept and with the SSL encryption being performed
in client-side script there is cause for concern. However, for casual monitoring of connections
this is certainly quite an improvement on passing data in the raw.NNOT EOTE When employing the highest degree of SSL encryption you should be aware that there may be
certain export restrictions in place that may create legal concerns for Web applications that must
work worldwide.Giving Up on HTTP Authentication
Even if SSL cannot be employed, a more appropriate option when using HTTP-based
authentication would be to use digest authentication instead of basic. Digest is also built
into HTTP, but it is much more secure. It uses a nonce, in other words a number or bit string
used only once, to create an encrypted version of the password. Digest is a bit more
complicated to set up, as it may be necessary to modify the Web server to support the
authentication scheme, but it is much more secure. The client-side code is the same as in
basic mode, though if you are going to handle it yourself, the server-side code must be
changed to look for the digest password instead of the plaintext one. An example using
digest authentication can be found at http://ajaxref.com/ch7/authenticationdigest.html.
Yet another option with HTTP authentication would be to extend the built-in authentication
to perform a custom form of authentication. While discussed in some specifications, this seems
an extremely rare approach and we found no clear examples of implementations that would do
this. However, if possible, it might be quite useful with Ajax-based communication.
Even if you can get advanced HTTP authentication working correctly, it just isn’t
reasonable as implemented in most browsers, especially when considering that the user
will have a hard time logging out! Yes, you read that right: it is really difficult to
predictably log out of an HTTP authentication session without closing your browser. Many
sites suggest it can not be done at all. There are workarounds that may work but not
terribly reliably, even with the power provided by an XHR. You might be tempted upon
logout to invalidate the credentials by trying to log in again with the wrong credentials.
Unfortunately, that often does not work, and trying to do various tricks with aborting
requests may be just as problematic. Internet Explorer does support some proprietary
JavaScript which can do the trick as shown here:document.execCommand("ClearAuthenticationCache");However, this is not a cross-browser solution as it will only work in Internet Explorer.