Ajax login security

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Ajax login security

Post by JellyFish »

How secure are ajax logins? What makes the secure or not?
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

The developer makes them secure ;)
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

What are some things I have to be aware of?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

It is the same security issues as any login request. Make sure you filter and validate all values server-side.
(#10850)
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

What about the fact that it's a visible parameter in the request(IE firebug or any other equivalent)?

What are all the validations required? I don't think I have any.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

The parameters are always visible. A couple of key things are:

- Is the data from where it is supposed to be from? Generate a new unique key for every time you present a login form and check for that key when the you receive the request.

- Is the data received the kind of data expected? Validate the data you receive to check for characters you don't allow.
(#10850)
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

arborint wrote: - Is the data from where it is supposed to be from? Generate a new unique key for every time you present a login form and check for that key when the you receive the request.
Where can it be from? Can't Ajax requests only be executed on local pages?
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

this is yet another example of where you should be serving ajax pages through the same channels as your regular pages (with different templates / views)
Post Reply