Signup forms .... sending password and username to backend

Signup forms .... sending password and username to backend
0.0 0

#1

Hi just wondering how people send password and username in forms … i havent used forms before and now that im working on the backend section i need to create a signup and login and logout … didnt think it would be a problem until i got working on the form …

Problem with the form is it posts allright but the username and password were visible when you go to dev tools to look at the network/ headers tab … and after not finding anything online except about how they should be encoded in base64 … but nothing on how to change the form to do this …
So a bit more googling i found i could write a javascript function the will run when clicking the submit button … encode the password and username to base64 and then submit the form … to do this i had to add a hidden input and send just the value in this in the form plus remove the name attribute from the other inputs to stop them being sent … you can see how i did it in the attached repl.

But im am wondering how others approached this … i know i can use oAuth but i want to be able to do signup login logout and to make sure im doing it properly and securely … any advice would be appreciated.


#2

You will want to have a secure connection using https, which will require an SSL cert. Once you have the secure connection active you can just post the name and password.

Also keep in mind you will want to run a re-captcha on the form as well to keep bots at bay.


#3

Thank for the reply … so if im using heroku free account which runs over https that is enough and that i dont have to worry about the password and username after i encode them.


#4

…also base64 is not secure because you can decrypt it easily.

reference https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding


#5

ye i know its just encoded not encrypted … it just seems to be recommendation to encode the username and password so i did.
as for bots thats a problem for another time but will keep it in mind … as it hadnt been something i had considered till you mentioned it. Have read hidden input fields have being used and if they are filled in you know it was a bot … so ill read up on that again and on captcha. Ty ty


#6

yes, the https is a secure connection to the server. The only other issues you might see are related to a new issue with sloppy cert authorities, but that is not under your control since your site is hosted. Only thing you can do is ask who issued the CA and decide if it is worth using them.

This is a big issue and so the CA must be a good source.


#7

Thanks to your post I searched for a few informations on the subject, really interesting things to be found on the web. Here is a nice stackoverflow answer which I think might be helpful for you.