English 中文(简体)
ajax login using httpRequest?
原标题:

I am trying to develop my login script to give feedback to the user if the login is valid or not. Basically if it isn t correct a div box will show saying its wrong, if its correct it will show its valid and re-direct to a members page.

Would this be secure sending it to a php script..checking with the database, then the php script either returns a true or false value?

Something like this?

function check_login(username, password)
{
var httpRequest;
make_request()
function stateck() 
{


    if(httpxml.readyState==4)

    { 
        if (httpxml.responseText.indexOf("true") >= 0)
        {
        $("#valid_div").show();
        $("#invalid_div").hide();

        }
        else 
        {
        $("#invalid_div").show();
        $("#valid_div").hide();

        }


    }
    }

httpxml.onreadystatechange=stateck;
login_url="login/login.php?username=" + username.value + "password=" + password.value;
httpxml.open("GET",login_url,true);
httpxml.send(null);
}

I am planning to add an ssl certificate, so I assume this would be secure?

Thanks

最佳回答

If the login_url you are using is over HTTPS then it is secure. But to further increase security you might consider sending the username and password with POST instead of concatenating them to the url with a GET request.

var parameters =  username=  + username.value +  &password=  + password.value;
httpxml.onreadystatechange = stateck;
httpxml.open( POST ,  login/login.php , true);
httpxml.setRequestHeader( Content-Type , "application/x-www-form-urlencoded");
httpxml.setRequestHeader( Content-Length , parameters.length);
httpxml.send(parameters);
时间:2009-11-14 12:23:48
问题回答

First off, use an HTTP POST. The contents of GET are visible to anyone scanning network traffic, and often stored in logs, caches, and proxies regardless of SSL.

For POST transmission, using SSL would increase security, however there are still innumerable holes depending on the rest of your setup:

  • Salt your passwords to avoid sending or storing them plainly at any point.
  • Make sure your database is kept securely.
  • Make sure you re not giving away too much information with your valid/invalid responses.
  • Protect against brute force attacks...

the list goes on and on...

时间:2009-11-14 12:28:32

Why everybody here is saying POST is more secure than GET when used over HTTPS ?

even if you are doing GET the url is never sent in the open, in the first step the browser opens a secure channel to the server on port 443 and everything else is encrypted, including the GET part.

Cannot be sniffed. Am I missing something ?

时间:2010-03-05 18:45:28

login_url="login/login.php?username=" + username.value + "password=" + password.value;

No, its not secure likethis. You need to send this using POST instead of Get (currently you are using GET).

时间:2009-11-14 12:25:49


上一篇:
下一篇:


相关问题
ajax login using httpRequest?

I am trying to develop my login script to give feedback to the user if the login is valid or not. Basically if it isn t correct a div box will show saying its wrong, if its correct it will show its ...

时间:2009-11-14 12:18:03 回答:4 展示:1
Remotely authenticating client Windows user on demand

Suppose I am writing a server for a particular network protocol. If I know that the client is running on a Windows machine, is it possible for my server to authenticate the Windows user that owns the ...

时间:2009-11-14 11:57:12 回答:1 展示:1
Role/Permission based forms authorizing/authentication?

While looking into forms authorizing/authentication, I found that it is possible to do role based authorizing by adding an array of roles to a FormsAuthenticationTicket. That way I can write User....

时间:2009-11-05 23:14:23 回答:1 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全