发表新帖
发表新帖

Is it safe to use ajax for login?

后端 未结
关注
6 1180
隐瞒了意图╮
隐瞒了意图╮ 2020-12-10 03:31

Am about to include a log in system to my web Site but i don\'t think it\'s a good idea for security to use ajax to send a and receive confirmation from an external php scri

相关标签:
6条回答
  • 轻奢々
    2020-12-10 04:18

    Login through ajax POST should be safe as long as you have a way of preventing the XSRF attacks. It can be done by setting X-CSRFToken header in your ajax request. On the server side you should have some sort of middleware to check and verify your CSRF Token from header.

    You can set the csrf token in the cookie and then query it and set it in the header:

    var csrftoken = $.cookie('csrftoken');

    xhr.setRequestHeader("X-CSRFToken", csrftoken);

    (I have used jquery cookie library here to illusrtate )

    0 讨论(0)
  • 一整个雨季
    2020-12-10 04:20

    You can use AJAX with an SSL container (HTTPS). But the sender page also mus be encrypted. because of the cross domain policy.

    0 讨论(0)
  • 名媛妹妹
    2020-12-10 04:24

    GET or POST versus ajax call do have the same set of security risks. The one or the other is not implicitly riskier.

    0 讨论(0)
  • 忘掉有多难
    2020-12-10 04:30

    Security

    AJAX is a as safe as a plain old form + refresh page. In the end it's always an HTTP request. Why do you think that ?

    However, from a usability point, make sure that people that disable javascript can still log into your app.

    Be sure to use POST method to send your AJAX request, as GET requests, and their params (such as, let's say, plain-text password) might end in your web server logs, unles you are using HTTPS.

    Usability

    As Grégoire pointed it out:

    Also from a usability point, autocomplete won't work for AJAX forms on chrome, and for AJAX-loaded forms in firefox. The browsers won't even propose to remember your password

    0 讨论(0)
  • 名媛妹妹
    2020-12-10 04:32

    I can't think of any security implications on using Ajax to handle login and logout. It doesn't matter what you send back and forth (as long as you don't send plain text passwords from server to client) between the ajax and sever side layer, because the session will be the one which will hold the authorization state.

    However, you would still have to refresh the page, or redirect to show the appropriate content to the just authorized user. So, I don't think Ajax is going to be effective at this particular situation.

    0 讨论(0)
  • 无人及你
    2020-12-10 04:36

    Well ajax posts are safe

    It all depends on your coding you have to code keeping in mind all the possible attacks that can happen

    use ajax just for sending data and do all the authentication in php and return a successful message

    0 讨论(0)
 看不清?
提交回复
热议问题