I'm looking at how to send a username and password via Ajax to PHP securely and how to also store the values in the MySQL database properly too.
In the past I have used the following type of example:
var formData = {username:$('#username').val(), password:$('#password').val()};
//SEND
$.ajax({
type: "POST",
url: "/signin.php",
data: formData,
success: function(data) {
//success
}
});
This is to send the values via JavaScript to then get a return OK
or FAIL
from the PHP. But is this secure enough? I was hoping someone would be kind enough to point me in the right and secure direction of sending sensitive data from JavaScript to PHP.
SQLfiddle
To be secure you need to ensure at minimum three things:
To do it "right" you should also consider:
Create a database user especially for authentication. Limit table/schema access accordingly. Use a separate subdomain for authentication. Use fastcgi-php or suphp to set the user for auth access to the database. Allow normal PHP database user to only read a semaphore or other login state credential from this "sandbox."
When users are entering their passwords, use site verification, ssl, and a verification "phrase" or picture they set when they created their account so they can be sure they are inputing to your server.
Additionally, most security concerns are going to be involved in what you do after the login. How do you plan to maintain the user's session? Greater security usually requires compromising convenience to the user. You need to consider carefully what type of abilities and information the user will have access to once authenticated. Your security plan should take that into account.
An alternative you might consider is using OAuth2 providers such as Google and Facebook.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With