Menu
Just now i'm writing a project, and i desided to write it with jquery and ajax requests.
only thing, i don't know, is it secure enough?
for example, when i verify the username, when registering new user, i use jquery ajax request,
i get the array of existing usernames from db(with json), and then verify, if new_username not inArray() of existing usernames, i make another request, and register the user.
but what about security? meybe hacker can find the way to change some of my if-else statements, and whole my securite will brake.
maybe you'll help me to understand this situation?
Thanks
203
(In the following I assume, that the username is the ID with which a user can log in, not some kind of nickname ;))
Getting all the usernames as JSON is bad. Then an attacker gets all registered usernames immediately!
Just send the username to the server, validate it there and send either "valid" or "invalid" as response. I.e., check the availability on the server side.
Always validate the user input on the server side. JavaScript can be disabled.
Update:
It does not matter whether jQuery is involved or not. Everything that you send to client (and is not hashed or encrypted) can be read by the client, it doesn't matter whether it is an XMLHttpRequest or a "normal" request.
Would you send a HTML table with all the usernames to any visitor of your site? I hope not :)
Summary:
152
Why are you implementing any of that client-side?
You should send the username/password over HTTPS in an AJAX query and have the server respond with only the data required for the user to move on, not the whole username list.
Even putting security aside, what if you have millions of users? You're going to send that list to all clients for them to log in?
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
