Page 1 of 1

Ajax login security

Posted: Thu Jun 07, 2007 8:46 pm
by JellyFish
How secure are ajax logins? What makes the secure or not?

Posted: Thu Jun 07, 2007 8:59 pm
by nickvd
The developer makes them secure ;)

Posted: Thu Jun 07, 2007 9:21 pm
by JellyFish
What are some things I have to be aware of?

Posted: Thu Jun 07, 2007 9:51 pm
by Christopher
It is the same security issues as any login request. Make sure you filter and validate all values server-side.

Posted: Fri Jun 08, 2007 12:01 am
by JellyFish
What about the fact that it's a visible parameter in the request(IE firebug or any other equivalent)?

What are all the validations required? I don't think I have any.

Posted: Fri Jun 08, 2007 12:34 am
by Christopher
The parameters are always visible. A couple of key things are:

- Is the data from where it is supposed to be from? Generate a new unique key for every time you present a login form and check for that key when the you receive the request.

- Is the data received the kind of data expected? Validate the data you receive to check for characters you don't allow.

Posted: Fri Jun 08, 2007 2:55 am
by JellyFish
arborint wrote: - Is the data from where it is supposed to be from? Generate a new unique key for every time you present a login form and check for that key when the you receive the request.
Where can it be from? Can't Ajax requests only be executed on local pages?

Posted: Fri Jun 08, 2007 9:51 am
by Kieran Huggins
this is yet another example of where you should be serving ajax pages through the same channels as your regular pages (with different templates / views)