Submitting a Javascript form without plaintext password?

It also sounds like you want to use a general login for all users, which you need to prevent the users from seeing.

It also sounds like you want to use a general login for all users, which you need to prevent the users from seeing. I don't think this will be workable in the way you're trying to do it. The problem is that the user on the browser has complete access to the Javascript code and all the data it uses, via tools like Firebug.

Using these tools, he can even go as far as modifying the code after the page has loaded.In short, there is no way of letting Javascript handle the data without giving the user the ability to see it. I would suggest a better approach might be something as follows: Site 1 sends a message to Site 2, informing it that it wants to log in a user. It tells it the users IP address, the login details it wants to use and other relevant details.

Site 2 responds to Site 1 with a token code which Site 1 then sends to the user's browser. The Javascript code on the user's browser then posts the token to Site 2 instead of a login name and password. Site 2 recognises it as the token it just gave to Site 1, and that it has come from the IP address it was told about, and logs the user in as if it had received a normal set of login details.

This process obviously requires you to write code on both Site 1 and Site 2, so you have to have full access to both of them. If Site 2 is a third party system, then you may have to come up with something else.

Cheers for the comprehensive response. Site2 is a third party site so I will need to come up with something else. Perhaps curl will be a more secure way of submitting the form?

– user727085 Apr 27 at 11:38 1 Curl will indeed be much more secure. But it has the disadvantage that the login will be tied to your server rather than to the user's PC; this may cause things not to work if you need to do subsequent requests from the user's PC. (you could route them all through your server, but this will go wrong if you have multiple concurrent users).

The best approach may be simply to contact the owners of Site 2 and discuss your requirements with them; they may have an API already, or be willing to work with you on a solution similar to the one I described. – Spudley Apr 27 at 11:44.

Whatever information you end up sending to the third-party site, will have to be made available to the user's browser at some point - and at that point they'll be able to inspect it and get the information out. Alternatively, they could look at the HTTP requests being made from their machine. The point is, information on the user's machine can't be hidden from the user if it needs to be in a decrypted state on their machine at any point.

Thanks for the response. This makes perfect sense. So, does this mean that there is a way to submit this form server side?

Perhaps this is how clipperz. Com is doing it? – user727085 Apr 27 at 11:24 Clipperz doesn't seem to hide the passwords from the user, it just gives you a way to not have to type them youself – Gareth Apr 27 at 11:38.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.