I am going to run the node.js server in a Windows environment (via Cygwin) on an internal network that needs access to the client's Windows login information. The best method I came up with is to have an iFrame with an ASP page that just does
Response.Write(Request.ServerVariables("AUTH_USER"))
Then load the iFrame content at boot time and save it in Javascript. It should contain something like "MANAGER / HisLogin", and I can save this variable. I could sha1 / salt it for security reasons.
A couple of questions:
Are there any inherent security risks when doing something like this? IIS and node.js will work on the same server, but with different ports. If necessary, I could force IIS to listen only to the local host.
Is there a better route than the iFrame content received by and relying on Javascript? I understand that the client can change the contents of the iFrame and Javascript variable, but the content is read only once, and I can create a self-destruct function in Javascript closure that is caused by loading the iFrame, for example:
Example:
var login = function() {
var loginInfo = null;
return {
init: function(theLogin) {
loginInfo = theLogin;
this.init() = function() {};
},
getLogin: function() {
return loginInfo;
}
};
}();
This is the header node.js tells
headers: {
host: '/*Removed*/',
connection: 'keep-alive',
accept: 'application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
'user-agent': 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7',
'accept-encoding': 'gzip,deflate,sdch',
'accept-language': 'en-US,en;q=0.8',
'accept-charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.3',
cookie: 'socketio=websocket'
},
Edit 2
Another alternative that I was thinking about is publishing the results of loading the iFrame page instead of Response.Write. I need to find a way to map the message to each other.
source
share