Just now i'm writing a project, and i desided to write it with jquery and ajax requests.
only thing, i don't know, is it secure enough?
for example, when i verify the username, when registering new user, i use jquery ajax request,
i get the array of existing usernames from db(with json), and then verify, if new_username not inArray() of existing usernames, i make another request, and register the user.
but what about security? meybe hacker can find the way to change some of my if-else statements, and whole my securite will brake.
maybe you'll help me to understand this situation?
Thanks
Just now i'm writing a project, and i desided to write it with jquery and ajax requests.
only thing, i don't know, is it secure enough?
for example, when i verify the username, when registering new user, i use jquery ajax request,
i get the array of existing usernames from db(with json), and then verify, if new_username not inArray() of existing usernames, i make another request, and register the user.
but what about security? meybe hacker can find the way to change some of my if-else statements, and whole my securite will brake.
maybe you'll help me to understand this situation?
Thanks
Share Improve this question edited Jun 22, 2010 at 16:50 Marcel Korpel 21.8k6 gold badges62 silver badges80 bronze badges asked Jun 22, 2010 at 16:40 SimonSimon 23.1k36 gold badges93 silver badges122 bronze badges 1- 1 thanks much for interesting discussion. and maybe you know the methods of changing client side script? are there a tools for it? – Simon Commented Jun 22, 2010 at 17:08
4 Answers
Reset to default 12(In the following I assume, that the username is the ID with which a user can log in, not some kind of nickname ;))
Getting all the usernames as JSON is bad. Then an attacker gets all registered usernames immediately!
Just send the username to the server, validate it there and send either "valid" or "invalid" as response. I.e., check the availability on the server side.Always validate the user input on the server side. JavaScript can be disabled.
Update:
It does not matter whether jQuery is involved or not. Everything that you send to client (and is not hashed or encrypted) can be read by the client, it doesn't matter whether it is an XMLHttpRequest or a "normal" request.
Would you send a HTML table with all the usernames to any visitor of your site? I hope not :)
Summary:
- Only send data, that the client is allowed to have access to.
- Validate user input on the server side.
- Never trust user input.
Why are you implementing any of that client-side?
You should send the username/password over HTTPS in an AJAX query and have the server respond with only the data required for the user to move on, not the whole username list.
Even putting security aside, what if you have millions of users? You're going to send that list to all clients for them to log in?
Ajax is not a replacement for server side code. While it is possible to implement log in and registration functionality using ajax, you will still need to validate and store data on the server.
A more sane implementation would simply send an https request to the server containing the username and password to which the server would respond with a yay or nay.
Security is one of those things that is best done server side if possible. My typical approach to AJAX login is to send the username and an MD5 or SHA1 hashed password to a method on the server which will then take care of all of the login details. The details of that implementation will really depend on your server-side technology, but most web application frameworks have facilities in place to do that. There may even be some solutions which include Javascript libraries to handle the client side work as well.