Is it safe to use ajax for login?

php ajax security authentication
15,140

Solution 1

I can't think of any security implications on using Ajax to handle login and logout. It doesn't matter what you send back and forth (as long as you don't send plain text passwords from server to client) between the ajax and sever side layer, because the session will be the one which will hold the authorization state.

However, you would still have to refresh the page, or redirect to show the appropriate content to the just authorized user. So, I don't think Ajax is going to be effective at this particular situation.

Solution 2

Security

AJAX is a as safe as a plain old form + refresh page. In the end it's always an HTTP request. Why do you think that ?

However, from a usability point, make sure that people that disable javascript can still log into your app.

Be sure to use POST method to send your AJAX request, as GET requests, and their params (such as, let's say, plain-text password) might end in your web server logs, unles you are using HTTPS.

Usability

As Grégoire pointed it out:

Also from a usability point, autocomplete won't work for AJAX forms on chrome, and for AJAX-loaded forms in firefox. The browsers won't even propose to remember your password

Solution 3

Login through ajax POST should be safe as long as you have a way of preventing the XSRF attacks. It can be done by setting X-CSRFToken header in your ajax request. On the server side you should have some sort of middleware to check and verify your CSRF Token from header.

You can set the csrf token in the cookie and then query it and set it in the header:

var csrftoken = $.cookie('csrftoken');

xhr.setRequestHeader("X-CSRFToken", csrftoken);

(I have used jquery cookie library here to illusrtate )

Solution 4

GET or POST versus ajax call do have the same set of security risks. The one or the other is not implicitly riskier.

Share:
15,140
Qchmqs
Author by

Qchmqs

Full Stack / Back End Web Developer Full Stack Developer, most experience with MVC, especially Rails and Laravel, and nodejs Backend : PHP ( Laravel, FuelPHP, CodeIgniter, symfony) Ruby ( Rails, Sinatra, padrino ) Python ( Django, Flask ) Nodejs ( ExpressJs Socket .io, Sails ) Frontend: templating ( Haml, Blade, Razor, HTML5, CSS3) scripting ( JQuery, plainjs) SPA ( Reactjs and Vuejs, Typescript and ES6 ) styling ( bootstrap, bulma, tailwindcss, less, sass, postcss ) graphics design, and theme design Database: SQL: MySQL, MariaDB, PostgreSQL NoSQL : mongodb, graphql, firebase DevOps: docker, kubernetes, git, svn, jenkins CMS: Wordpess, Joomla, Drupal, OpenCart, Magentoo, Shopfiy can handle the full stack from the database to the front end

Updated on June 23, 2022

Comments

  • Qchmqs
    Qchmqs almost 2 years

    Am about to include a log in system to my web Site but i don't think it's a good idea for security to use ajax to send a and receive confirmation from an external php script called login.php and log-out the same way with another logout.php any recommendation

  • Clement Herreman
    Clement Herreman over 12 years
    In fact, you send, from the client to the server, passwords in plain text (excepted for https pages). However, you shall be punished if you send plain text password from server to client.
  • Clement Herreman
    Clement Herreman over 12 years
    GET request might end up in the web server logs, along with plain-text passwords :/
  • Qchmqs
    Qchmqs over 12 years
    no i can just load the content that should be loaded with an ajax request i can simply load the container witch will change the content(at the server side )and send a different content (the appropriate content)
  • Shef
    Shef over 12 years
    @Qchmqs: Then there is no security flow, because the authentication validation will be done on the server side. At the time you send back the response with the content you will check if the user has been authenticated.
  • Qchmqs
    Qchmqs over 12 years
    I don't think i had understand what u said ?
  • Shef
    Shef over 12 years
    @Qchmqs: You said you will be loading the content with an ajax request. I said, OK, you can do it, and it will be still secure, because you will check on the server if the user is authenticated before sending the content back to the ajax request. I was simply agreeing with you.
  • Qchmqs
    Qchmqs over 12 years
    so i think i should go on with this idea and start coding right now ? (after a cigarette of course)
  • Johan
    Johan over 12 years
    @clement: Sure, but that is true no matter the request is done via form or ajax.
  • Clement Herreman
    Clement Herreman over 12 years
    Right, so then it is even more false that GET or POST have the same set of security risks.
  • Davy8
    Davy8 over 12 years
    @Johan I think the problem is your wording could be interpreted in multiple ways. What you meant was that normal GET or POST have the same security implications as AJAX GET or AJAX POST. But what you wrote could be interpreted as GET or POST have the same security risks whether it is AJAX or not.
  • greg0ire
    greg0ire about 11 years
    Also from a usability point, autocomplete won't work for AJAX forms on chrome, and for AJAX-loaded forms in firefox. The browsers won't even propose to remember your password.
  • Clement Herreman
    Clement Herreman about 11 years
    @greg0ire right, I'm experiencing these days, and it's not really funny :(. Editing to add your remark.
  • mat_boy
    mat_boy almost 8 years
    I think that nowadays the sentence make sure that people that disable javascript can still log into your app should be amended. I cannot imagine any serious web application that works without javascript.
  • RAMM-HDR
    RAMM-HDR almost 4 years
    its not recommended to use cookie to store tokens : the best way to set CSRF Tokens

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

php not redirecting and logging in
PHP and AJAX security question
How to send secure AJAX requests with PHP and jQuery
How secure is my PHP login system?
Detecting Ajax in PHP and making sure request was from my own website
Login without HTTPS, how to secure?
Symfony security return 401 response instead of redirect
Symfony 2 security always return Bad Credentials error
AJAX Jquery Call returning 401 (unauthorized) - API Call
onchange using ajax, codeigniter, dropdown