tags:

views:

226

answers:

4

Hi, I am trying to develop my login script to give feedback to the user if the login is valid or not. Basically if it isn't correct a div box will show saying its wrong, if its correct it will show its valid and re-direct to a members page.

Would this be secure sending it to a php script..checking with the database, then the php script either returns a true or false value?

Something like this?

function check_login(username, password)
{
var httpRequest;
make_request()
function stateck() 
{


 if(httpxml.readyState==4)

 { 
  if (httpxml.responseText.indexOf("true") >= 0)
  {
  $("#valid_div").show();
  $("#invalid_div").hide();

  }
  else 
  {
  $("#invalid_div").show();
  $("#valid_div").hide();

  }


 }
 }

httpxml.onreadystatechange=stateck;
login_url="login/login.php?username=" + username.value + "password=" + password.value;
httpxml.open("GET",login_url,true);
httpxml.send(null);
}

I am planning to add an ssl certificate, so I assume this would be secure?

Thanks

+2  A: 

If the login_url you are using is over HTTPS then it is secure. But to further increase security you might consider sending the username and password with POST instead of concatenating them to the url with a GET request.

var parameters = 'username=' + username.value + '&password=' + password.value;
httpxml.onreadystatechange = stateck;
httpxml.open('POST', 'login/login.php', true);
httpxml.setRequestHeader('Content-Type', "application/x-www-form-urlencoded");
httpxml.setRequestHeader('Content-Length', parameters.length);
httpxml.send(parameters);
Darin Dimitrov
As this is Ajax en the user does not get to see the URL there is no security difference between using GET and POST in this case. Only people scanning the network traffic will see the request.
Matijs
People scanning network traffic are a very REAL security problem.
Gabriel Hurley
@Martijs, all the proxy servers in between the client and the server will have GET urls in their logs which is a security issue. **Never** send username and password in a GET request.
Darin Dimitrov
You are right, I was still sleeping.
Matijs
Thanks, how would I check against the true or false value returned from the login script?
Elliott
A: 

login_url="login/login.php?username=" + username.value + "password=" + password.value;

No, its not secure likethis. You need to send this using POST instead of Get (currently you are using GET).

claws
+4  A: 

First off, use an HTTP POST. The contents of GET are visible to anyone scanning network traffic, and often stored in logs, caches, and proxies regardless of SSL.

For POST transmission, using SSL would increase security, however there are still innumerable holes depending on the rest of your setup:

  • Salt your passwords to avoid sending or storing them plainly at any point.
  • Make sure your database is kept securely.
  • Make sure you're not giving away too much information with your valid/invalid responses.
  • Protect against brute force attacks...

the list goes on and on...

Gabriel Hurley
Thanks, once the login page has been validated the user is checked again on everypage for the session and if the values match the database. So this sould increase secuirty
Elliott
A: 

Why everybody here is saying POST is more secure than GET when used over HTTPS ?

even if you are doing GET the url is never sent in the open, in the first step the browser opens a secure channel to the server on port 443 and everything else is encrypted, including the GET part.

Cannot be sniffed. Am I missing something ?

Mis Tigi