The parameters are always visible. A couple of key things are:
- Is the data from where it is supposed to be from? Generate a new unique key for every time you present a login form and check for that key when the you receive the request.
- Is the data received the kind of data expected? Validate the data you receive to check for characters you don't allow.
arborint wrote:
- Is the data from where it is supposed to be from? Generate a new unique key for every time you present a login form and check for that key when the you receive the request.
Where can it be from? Can't Ajax requests only be executed on local pages?
this is yet another example of where you should be serving ajax pages through the same channels as your regular pages (with different templates / views)