1

I'm making an Ajax login system and i wonder if this is secure

  1. Post the username and the password with ajax
  2. Check the login server side, if valid, return the new session id and the user id in a JSON string
  3. Get the JSON with javascript then create the session's cookies "session_id" and "user_id"
  4. Call the page where the logged user is redirected with AJAX

Thanks

4 Answers4

1

Secure for 08/15 website: yes
Secure for online banking: no

The method you use is equivalent to an unencrypted everyday login <form>. Albeit you should really not rely on a "user_id" cookie. Rather save the verified user_id in the session store only.

Also you might try to simply return the session cookie on the JSON result for the AJAX call. It usually sticks to all further HTTP requests, so you don't need (3) to set the cookie via Javascript additionally.

mario
  • 144,265
  • 20
  • 237
  • 291
  • Thank you for the advices, i will remove the user id from the cookies and also the step (3). About the step 3, is the HTTP method work with all browsers ? –  Jan 02 '11 at 23:33
  • @mario: what do you mean by *08/15 website* ? – Rajat Gupta Nov 04 '13 at 08:42
  • @user01: Sry. That was a localism for everyday / run-of-the-mill things, here including common non-commercial website types like e.g. blogs, bulletin boards / forums, wikis, online chats, homepage / portal scripts. – mario Nov 04 '13 at 15:46
1

Creating a secure login system is HARD. I would just like to name a few things that could go wrong(bite you in the ass):

  • unsecure connection(http instead of https).
  • XSS
  • CSRF
  • SQL-injection
  • unencrypted passwords or simple md5 vulnerable to rainbow table attack.

There a lot of free secure login systems(created by security experts) which you should use instead, for example:

  • facebook connect
  • google friend connect
  • twitter single sign on
  • openid
Alfred
  • 60,935
  • 33
  • 147
  • 186
0

I think it could be secure when use post in step 1. already ciphered password and little bit ciphered username, to avoid simple attacks.
Like send(base64_encode(username),md5(password));

And another word, you should check valid session id on server-side, not on client-side in app.
You cannot let client-side script (which could be altered by adv. user) to check session validity.

It's like creating nice and secure API, you have to check everything on server and don't let any dangerous (setting/deleting/creating methods, etc..) opened wordlwide.

Marek Sebera
  • 39,650
  • 37
  • 158
  • 244
  • I don't use md5 for hashing the password, I use phpass (http://www.openwall.com/phpass/), should i hash the password client side with md5 then hash it again with phpass server side, is this really necessary ? thanks –  Jan 02 '11 at 23:56
  • It is only example. You very hardly need to cipher user password somehow. And need to hash it before sending by javascript. Depends on how high security level you wanna create. – Marek Sebera Jan 03 '11 at 12:57
0

I can think of several problems with this idea, in direct order of importance (least to most):

1) Your site won't work for those with JS disabled.

2) Your site may not show the in-browser yellow toolbar to notify the user that SSL/HTTPS is enabled. (Depends on implementation).

3) The user_id parameter is not required client side, and probably not a good idea either. Authentication tokens are almost always just a single identifier, and that's all that is required to prove a user is logged in.

4) It's usually bad practice to write your own authentication capabilities. I know you are not replicating the back-end (which is a very bad idea), but most frameworks already automate the front-end authentication for you and do a good job at it. Use those frameworks, cause they have been tested and are secure. Also, a lot of the time the framework will help you (eg. make it easier to switch authentication providers).

Simon at LabSlice-com
  • 3,017
  • 3
  • 24
  • 29
  • 1) i have an Javascript-off version of my login form 2) i don't use SSL 3) i agree with you, i will remove it 4) i don't really like frameworks and I'm not familiar with 5) thank you ;) –  Jan 02 '11 at 23:39
  • @cool-man you should probably use SSL if you're worried about security, otherwise the initial POST of the username and password makes everything else after it pointless, doesn't it? – jamiebarrow Dec 11 '12 at 11:42