0

I have a Symfony 2.7 installation with FosUserBundle (users), FosRestBundle (API) and NelmioCorsBundle (CORS). I followed some guides which were written at a (recent if I understand well) time where FosUserBundle was using SHA512 with a salt for passwords encryption.

I have a working WSSE server on my Symfony, and I'm trying to make requets from a Javascript client in a secure way. With the old "SHA15 + salt" way, I see how to do it : a public api for getting the salt on the client side, on we recreate the encrypted password "as in the database" before sending it via WSSE header. I think this is also good for keeping the password in cache (better than a non encrypted password).

But since bcrypt have a built in salt, how can I generate the encrypted password in the client side ? Of course one solution would be stop using bcrypt and start using SHA512 + salt but less secure; and other solution would be something like oauth2 and HTTPS, but I would like to find a secure solution without HTTPS for now.

Any clue ?

Thanks !

adari
  • 33
  • 4

1 Answers1

0

If you are able to generate encrypted passwords on the client side that match what your server has then you may as well not use passwords at all. No matter how you do it, it going to be insecure.

Take a look at a token based approach. Plenty of examples out there.

  1. Client sends a token request with something like:
  2. POST /tokens (user name and password as payload, https only please)
  3. Server authenticates the user and returns a token (possibly a json web token)
  4. Client sends the token back on each request, usually in a header
Cerad
  • 48,157
  • 8
  • 90
  • 92
  • Okay so what you are saying is that the "only way" to do it properly is with https (and the first time the password is send "as is" but it's okay because over ssl am I correct ?) Then, what protocol would you suggest ? I was looking into oauth2, but as my client is in JavaScript (Polymer) there is no way to keep the client key safe, or am I missing something here ? – adari Jul 18 '15 at 17:01
  • Guess I'm not understanding. You said you were using FOSUserBundle. So I assumed you have a database of users and passwords accessible by your server. Is this not the case? oauth2 is a different approach to authentication. Have your server authenticate the user then send back a token to the client. Then use the token for subsequent requests. – Cerad Jul 18 '15 at 17:14
  • Yes that correct. I think i made a confusion with oauth2 because this approach is using indeed a token system. But what I understand from your answer is that I can build a token system on my actual authentication system. Thanks ! – adari Jul 18 '15 at 17:31