Menu
My JS Code(Just example, maybe there is some syntax error)
$(document).on('click','#btnEdit',function(e){
var id = $("#inp_id").val(), ps = $("#inp_ps");
$.ajax({
type: 'POST',
url: 'http://example.php',
data: {act:'#LogIn',id:id,ps:ps},
success: function(response){
if($.trim(response) === "success"){
alert("Login Successful");
}
else{
alert("Invalid ID or Password");
}
}
});
});
Inside the php
if($_POST[act] == "#LogIn"){
$userid = Encrypt($_POST[id],$key1);
$userps = hashPS($_POST[ps],$salt);
//query...
if(result > 0){
$_SESSION['id'] = Encrypt($userid,$key2);
$_SESSION['token'] = //random code;
}
}
My question:
Is there any way to make the code secure? Because i think the attackers can just write their own script and send data to the php for getting and id.
Or maybe it is just a bad idea using ajax to login and register.
593
Ajax is not inherently secure or insecure. It does however open up 'opportunities' for insecure code. A mistake I commonly see is as follows: The user is authenticated in code-behind when the page is loaded.
Ajax makes the best use of the server's bandwidth by fetching particle contents instead of transmitting the entire page's content. This means that you can bring data from the database and store it into the database to perform background without reloading the page.
AJAX allows web pages to be updated asynchronously by exchanging data with a web server behind the scenes. This means that it is possible to update parts of a web page, without reloading the whole page.
Check out The definitive guide to form-based website authentication [closed] .
Salting from frontend mainly aims at protecting privacy of your users. While CAPTCHA aims at verifying your user is a real person but a spider and protecting your server from DDOS attack.
To guarantee security you need HTTPS. There are potential risks if you implement login service without HTTPS, such as Man-in-the-Middle-Attack. So I have to provide a backend solution here.
As is mentioned by Raptor, attackers can still test the password via bruteforce. Yes, indeed. Yet if you choose your encryption algorithm correctly, it will take millions of years to crack a single password.
Besides there is one more attack, named Cross-site request forgery. You have to prevent it by simply introducing a csrf_token.
I asked a question(【django-1.11.3/angular-1.6.4】POST AJAX CSRF verification failed) a year ago where you might get some inspiration.
sudo apt install certbot
sudo certbot certonly --standalone -d example.com -d www.example.com
It's sometimes better if you use OAuth and make service providers such as Google or Facebook take the responsibility to take care of login security.
150
The best practices for making it secure are as follows.
Implement CSRF token so every request is sent using a CSRF (Cross Site Request Forgery). CSRF insures if the request is valid. You may get further details about CSRF implementation from here
Apply IP check on the server side. Check from which IP the request is coming. You should only accept the requests which are coming from your own server. You can use $_SERVER['REMOTE_ADDR'] for that purpose
Captcha on the client side to protect from BOTS Google recaptcha is best for this. Details are here
If you apply the above you will be secure enough for POST requests.
3
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
