I’ve been playing around with AJAX login for my PHP authentication system. The authentication system is well tested, and for the sake of this thread we will say that it is 100% secure. I say that because it’s not the PHP that I am concerned with, it’s the javascript.
When somebody attempts to log in, AJAX is sending the request, which is processed by PHP, and then PHP sends back a response. In that response, depending on if the login attempt was successful, there could be info like the user’s ID, what level user they are, etc. If there was an error, the response would include things like the error count, if the user is on hold (which means they have too many login attempts), etc.
So, let’s say that the login attempt was successful. In plain HTTP requests (non-AJAX) I would be able to show the site visitor something based on their user ID, user level, etc. But with this AJAX login, what can I do? Anything that I can think of doing with AJAX can just be circumnavigated by somebody in their console.
For instance, if I have a hidden div#cool_stuff and showed it based on a successful login, there’s no security in that, because a person could just type $(‘#cool_stuff’).show(); into their browser’s console.
So, what I’m wondering is, what are the best practices concerning AJAX login. It honestly doesn’t seem very useful, but I would hope that somebody here can shed some light on this concern of mine.
Sorry, but could explain a bit more, I’m confused. You say
but then say
IMHO it should not include any information other than a “fail” so a type of “try again” message can be displayed.
This is where SESSIONs - on the PHP code side - comes into play. If there is a successful login the server will provide the page, otherwise it won’t.
You are correct in that JavaScript is inherently not for security.
The JavaScript in the AJAX login should not pass any sensitive information that is not encrypted. Nor should it return any information upon success, why would it need to? .
TBH I would consider not using AJAX at all for logging in and only use it to enhance a visitors experience. (loading content in “real time”, showing form submission errors w/o a page load, table sorting, etc.
The error count is just to let them know they have n of 5 attempts before they are locked out for 10 mins.
I’m not ever using javascript for such things, but since I developed the login system and people are asking for features, it’s nice to provide them if they are well thought out. Right now I provide a way that they can respond with JSON, but it’s up to them to do whatever they want to do.
As an enhancement for the visitor’s experience, I can’t really think of a good reason to use AJAX to login, but I see it done on a few websites.