Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is AJAX authentication through HTTP considered to be non secure?

Tags:

ajax

security

authentication

web-applications

Lets consider next scenario: assume I have a web app, and authentication of users is performed through a modal dialog window (lets say, that when a user clicks login button, ajax request is sent and depending on the callback I either close the window or display an error), and I use only HTTP protocol. Why is it considered to be not secure way to do things?

Also, please make sure that a modal dialog window is taken into account, because this is vital info. There may be some data displayed underneath the dialog window and can be accessible if modality is broken.

The question includes both:

  1. How can you break an app security by utilizing ajax call?
  2. Is Ajax HTTP less secure than a regular form HTTP?
like image 211
Denys S. Avatar asked Nov 15 '10 09:11

Denys S.

4 Answers

Whoever told you - he is wrong. The ajax through post is not less secure than post with regular forms. Just because it is the same thing.

Update 1 according to the last edit:

  1. You cannot
  2. No

Argument: the AJAX request is the same http request as any other (such as request sent by html form). Absolutely the same. So by definition it cannot be less or more secure.

I don't know how to explain more and what to say else: ajax is a http request. the same request as your browser does when you open SO page or when you post the SO question form.

I can rephrase your question to something like "Why A is less secure than A". Answer to it: A is not less secure than A, because A is A :-S

like image 134
zerkms Avatar answered Oct 26 '22 17:10

zerkms

Any sensitive data should be channeled through HTTPS. GET data is sent in the querystring. POST data is sent in the HTTP Request header. Ajax can do both. BOTH are not secure. You need a channel level encryption to really secure it.

like image 23
Slappy Avatar answered Oct 26 '22 17:10

Slappy

HTTP isn't secure for private data because the data is transmitted in plaintext. This can be intercepted anywhere between the client and server (eg. wifi.) Ajax over HTTPS would be much better.

like image 44
WolfRevoKcats Avatar answered Oct 26 '22 17:10

WolfRevoKcats

I think the issue is that you are using http. No matter how you look at it it wont be secure. If you use https the ajax request will be just as secure as a html form.

Somy answer would be to use https and you will be all set.

like image 36
kralco626 Avatar answered Oct 26 '22 19:10

kralco626
Sign in to Comment

Related questions

Enabling CORS in .ajax POST
Call a function after all ajax requests are done when using a foreach statement in jQuery
Serialize multidimensional form data into a JSON object-array to work with application/json
How to get Latest Chrome (Version 55) to allow mixed content?
What HTTP response codes does the jQuery aJax error handler consider an 'error'?
TypeError: $.ajax is not a function how to solve WITH MY CODE)?
Rails: Render a status code without rendering a template
Are there any good drag&drop web app IDEs out there that support AJAX?
Using acts_as_list with has_many :through in rails
jQuery AJAX Responses in ASP.NET MVC
Javascript IE and getElementsByClassName problems [duplicate]
Long, slow operation in Django view causes timeout. Any way for Python to speak AJAX instead?
window.onerror does not work
Efficient AutoSuggest with jQuery?
How much data can a javascript global variable hold?
Jquery post array via ajax
to call a javascript function periodically
Can't get correct return value from an jQuery Ajax call [duplicate]
Easiest Way To Make A Form Submit Without Refresh
jQuery's AJAX call to a javascript class method

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!