Ajax Login

[Tribal]

If you were to make a AJAX login system. Would it be any less secure than a normal http login system? Because my thoughts on this are that when you get sent to the next page, the password is sent to the next page as plain text. So would this be any different in ajax? Getting sent to the page via plain text again.

[Zeggy]

You wouldn't need to send the password back, it would be pretty much just like a regular login form

[Scion]

can you not use https to post your data .....

then again its worth considering just how secure you need to be.....no point spending 3/4 of your time making a near bulletproof login if your targeting teenies.....since theyre just going to share passwords with each other anyway.....If your writing my web banking app thats a different story

[JGadrow]

A simple rule: There should NEVER be a reason you need to pass around the user's password.

The user's password should ONLY play a role in authenticating that user to the system. This means the password is only accepted once from a login form. If your system needs to use the password for any other reason it should be scrapped and re-evaluated. Or, at least put up a warning to the user that you'll be passing around their password so they can either:

A) Use a separate password for your site (Users, *should* be doing this anyways, but you should also brush your teeth 3 times daily, never eat directly before sleeping or spend prolonged periods of time staring at digital screens... oops! lol)

B) Choose to visit a site that is more secure

[genmac]

The password only has to be sent once, your ajax reply can just send a success or failure message.  You can also md5 the password at the source using javascript, and then compare it with your md5 stored password in a database or whatever.

[mobeamer]

Unless I am mistaken, you can not make an AJAX request function as a "POST"...remember "GET" vs "POST".

This might be why you have heard that AJAX logins are less secure then normal logins.

Although this is technically correct: A POST vs a GET does not buy you a lot of security. With the proper security procedures setup, using a POST is like locking the screen door AFTER you have dead bolted the main door.

It's not really going to stop the thief, but it does make you feel more comfortable.

[Zeggy]

Actually, I think AJAX can send stuff using POST. Most ajax libraries support it too.

[Tribal]

No, sorry i have explained it badly.

------------- login.php ---------------
User enters email address and password into the form.


------------- login_process.php ---------------
Get the password $_POST['password'];. When you first get it here, it has been transferred in the post as plain text. You then
$password = hash($_POST['password']); if($password == $password_in_db) { //--- Start sessions etc }


Now, if i just used ajax to POST the data from the email field and the password field to login_process.php, would it be any less secure than sending from the form on login.php?

I hope that has cleared up what i originally ment. I am not that stupid to "pass" the password between every page the user visits. Lol

[Scion]

um........its no more or less secure.....with a standard HTTP GET or POST the data has still beeen sent as plain text....hence the suggestion to use HTTPS

unless im mistaken (which happens more often than i like to admit )

when your using https your browser will negotiate an encryption key with the web server then encrypt the data before it is sent.....the web server decrypts it at the server before it passes it on to your application.

so the difference is that if the data is intercepted under way....say using a packet sniffer that your https encrypted data is still secure whereas your http data is sitting there in plain text .....

[genmac]

Get the password $_POST['password'];. When you first get it here, it has been transferred in the post as plain text.

Instead, use a javascript onclick event on your submit button to md5(your_password_field) and then submit it - that way it's always hashed when it's sent.

[Tribal]

I do not use md5 to hash my passwords though. I sha1 then with a user-specific salt.