Passing Aura.Auth credentials to Jquery autocomplete

10 views
Skip to first unread message

Andy Tr

unread,
Mar 7, 2017, 9:53:43 AM3/7/17
to The Aura Project for PHP
Hi,

I'm using Aura.Auth with PDO for authentication on my small multi-tenant web app.  One of the forms uses Jquery autocomplete to do a very simple lookup on a column in the tenant's database (which is a complete separate SQL DB for each tenant).  The autocomplete function executes a PHP script that returns the matching column data.

Does anybody have any advice on how to securely pass the logged in user's Aura.Auth credentials to the PHP script using Jquery autocomplete, please?

My current method (built using my beginner skillset) encrypts the user's database credentials into a very long string that is visible within the page source.  While this works, as autocomplete passes this encrypted string to the PHP script, which in turn decrypts to view the tenant's DB credentials, it means anybody who manages to copy the encrypted string of another user can log in to my app as themselves, then run queries as the tenant whose DB credentials they've stolen.  I know this is a big flaw, so I'm looking for the correct way to do this.

Another method I've since read about would be to create an authentication token that expires, rather than passing an encrypted string of the DB credentials.  This also appears insecure to me, as the token can still be stolen and used elsewhere until it expires.  Would the correct method be to authenticate using both the token and IP address of the user?  If so, what would happen if the user happens to be on a network that has two external IP addresses or happens to have a dynamic external IP that changes mid-session?

Any help is always appreciated!

Cheers

Andy

Hari K T

unread,
Mar 7, 2017, 11:37:17 AM3/7/17
to aur...@googlegroups.com
I am unsure about your requirement, what does jquery auto complete has to do with Auth ?

If the user want to save their credentials in the browser, the browser can do the same. So not sure.

If you are looking for remember me sort of cookie, you can look at https://github.com/gbirke/rememberme .

Hope that helps.
 

--
You received this message because you are subscribed to the Google Groups "The Aura Project for PHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to auraphp+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages