Verifying Passwords on the Server-Side


To add a final layer of security to our Ajax applications, we will verify the unique passwords that we have created when we send them with the requests on the server side. We will create a method called verifyPassword to take an array and the previously created password as parameters. The array in this case will be the PASSWORD array that was created in the Constants object. After the method has been called and receives the parameters, we will split the password at the colon that we created in the getPassword method. This will leave us with an array of two values. The first value will be the md5 encrypted array value from the getPassword method and the second value will be the random index that we set and appended to the password when we returned it. Now that we split this password into an array, we can use the second value, which is the random array index. This index will then be used to get the value in the arr array that we used in the getPassword method as the md5 value. After we have this seed value, we will create a new password by performing the same concatenation of values as we did when we created the password. This concatenated value will then be tested against the saved password that was passed in as the parameter and the Boolean value will be returned. Listing 23.7 shows this method and the code we have just covered.

Listing 23.7. Creating a Method to Verify the Password (PasswordManager.class.php)

public function verfiyPassword($arr, $password) {     $uid = split(":", $password);     $seed = $arr[$uid[1]];     return md5($seed).":". $uid[1] == $password; }

To put this method to use, we will add it to the serviceConnector.php file. This file will need to include the Constants and PasswordManager objects in order to use the verifyPassword method. After the objects have been included, we will get the instance of the PasswordManager and call the verifyPassword method. We will pass the Constants PASSWORD property as the array parameter and the unique id that we passed through the AjaxUpdater in the query string of the request. If the verification is a success, we move forward by making the request. Take a look at Listing 23.8 to see how we need to add this code to the serviceConnector.php file.

Listing 23.8. Verifying the Password in the Service Connector (serviceConnector.php)

<? require_once("classes/utils/Constants.class.php"); require_once("classes/security/PasswordManager.class.php"); $pwManager = PasswordManager::getInstance(); if($pwManager->verifyPassword( Constants::$PASSWORD, $_GET['uid'] )) {     header("Content-Type: application/xml; charset=UTF-8");     require_once("classes/UserManager.class.php");     require_once("classes/Email.class.php");     $o = new $_GET['object']();     echo $o->$_GET['method']( $_GET['params'] ); } ?>

Although database-enabled XHRs are fairly easy to accomplish, we must keep in mind that they can be very insecure if we do not appropriately secure them. The object in this chapter is just an example of how you can secure your requests; other methods can easily be added to PasswordManager in order to add more encryption to the passwords and so on. Remember that with great power comes great responsibility, and it is important to secure the requests on both the client and server sides.



Ajax for Web Application Developers
Ajax for Web Application Developers
ISBN: 0672329123
EAN: 2147483647
Year: 2007
Pages: 129
Authors: Kris Hadlock

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net