CODEWITHSUNDEEP
javascriptjqueryajaxsecurity
Simon
Simon

Reputation: 23149

Security of AJAX requests

Just now i'm writing a project, and i desided to write it with jquery and ajax requests.

only thing, i don't know, is it secure enough?

for example, when i verify the username, when registering new user, i use jquery ajax request,

i get the array of existing usernames from db(with json), and then verify, if new_username not inArray() of existing usernames, i make another request, and register the user.

but what about security? meybe hacker can find the way to change some of my if-else statements, and whole my securite will brake.

maybe you'll help me to understand this situation?

Thanks

Upvotes: 5

Views: 732

Answers (4)

ckramer
ckramer

Reputation: 9443

Security is one of those things that is best done server side if possible. My typical approach to AJAX login is to send the username and an MD5 or SHA1 hashed password to a method on the server which will then take care of all of the login details. The details of that implementation will really depend on your server-side technology, but most web application frameworks have facilities in place to do that. There may even be some solutions which include Javascript libraries to handle the client side work as well.

Upvotes: 2

Felix Kling
Felix Kling

Reputation: 817030

(In the following I assume, that the username is the ID with which a user can log in, not some kind of nickname ;))

  1. Getting all the usernames as JSON is bad. Then an attacker gets all registered usernames immediately!
    Just send the username to the server, validate it there and send either "valid" or "invalid" as response. I.e., check the availability on the server side.

  2. Always validate the user input on the server side. JavaScript can be disabled.

Update:

It does not matter whether jQuery is involved or not. Everything that you send to client (and is not hashed or encrypted) can be read by the client, it doesn't matter whether it is an XMLHttpRequest or a "normal" request.

Would you send a HTML table with all the usernames to any visitor of your site? I hope not :)

Summary:

  • Only send data, that the client is allowed to have access to.
  • Validate user input on the server side.
  • Never trust user input.

Upvotes: 12

Nick Van Brunt
Nick Van Brunt

Reputation: 15484

Ajax is not a replacement for server side code. While it is possible to implement log in and registration functionality using ajax, you will still need to validate and store data on the server.

A more sane implementation would simply send an https request to the server containing the username and password to which the server would respond with a yay or nay.

Upvotes: 5

Ben S
Ben S

Reputation: 69382

Why are you implementing any of that client-side?

You should send the username/password over HTTPS in an AJAX query and have the server respond with only the data required for the user to move on, not the whole username list.

Even putting security aside, what if you have millions of users? You're going to send that list to all clients for them to log in?

Upvotes: 6

Related Questions