duangan6731 2013-01-03 13:39
浏览 39

使用Ajax登录系统的安全性

I have produced a login system which uses a basic ajax request and some feedback, and its working well (code is at the bottom).

Apart from hashing and salting passwords which I'm about to put in (so don't get hung up on that), what are the security implications of using Ajax/jQuery to handle these requests: Most importantly:

  1. What is the general view when it comes to this being JS dependant as opposed to pure PHP - do people put in redundancies, is it legitimate to simply say this is a JS only site (a huge amount of the website is based on the Twitter bootstrap, so its kinda reliant on JS).

  2. Is my PHP and JS interfacing in the correct way? (and will my cookie still work?)

  3. How can I create a secure way to now use jQuery .load() to bring in my content upon successful login?

  4. Any general advice on making my system secure?.

     $(function login() {

 $("form .button").click(function () {

 // getting form values and assigning variable names
 var username = $("form #username").val();
 var password = $("form #password").val();
 var remember = $("form #remember").val();

 // concatenating variables to form the data used by the Ajax post method
 var dataString = 'username=' + username + '&password=' + password + '&remember=' + remember;

 // begin Ajax post function
 $.ajax({
     type: "POST",
     url: "controls/login/process.php",
     data: dataString,
     success: function (response) {
         if (response == 'success') {
             alert("SUCCESS");
         } else {
             $('.alert').find('span').text('Incorrect username or password');
             $('.alert').addClass('alert-error').fadeIn('fast');
         }
     },
     error: function () {
         $('.alert').find('span').text('An error occured, try again');
         $('.alert').addClass('alert-error').fadeIn('fast');

     }
 });

 return false;

 });
 });

This interfaces with

<?php
session_start();
// Starting the session
require '../../tools/db/connect.php';
// Including the database connection file
session_set_cookie_params(2*7*24*60*60);
// Making the cookie live for 2 weeks

if($_SESSION['reference'] && !isset($_COOKIE['unifyLogin']) && !$_SESSION['remember']){
    // If you are logged in, but you don't have the cookie and you have not checked the remember checkbox (a browser restart), destroy the session 
    $_SESSION = array();
    session_destroy();
    echo "expired";
}

$_POST['username'] = mysql_real_escape_string($_POST['username']);
$_POST['password'] = mysql_real_escape_string($_POST['password']);
$_POST['remember'] = (int)$_POST['remember'];
// Escaping all input data
$row = mysql_fetch_assoc(mysql_query("SELECT ID,REFERENCE FROM USER WHERE USERNAME='{$_POST['username']}' AND PASSWORD='{$_POST['password']}'"));

if($row['REFERENCE']) {
$_SESSION['secure'] =  false;
// If everything is OK login
$_SESSION['id'] = $row['ID'];
$_SESSION['reference'] = $row['REFERENCE'];
$_SESSION['remember'] = $_POST['remember'];
// Store some data in the session
setcookie('unifyLogin',$_POST['remember']);
// We create the cookie
echo "success";
} else {
echo "failure";
}

?>
  • 写回答

5条回答 默认 最新

  • duanche5149 2013-01-03 13:47
    关注

    The best way to ensure security on your website is to encrypt your passwords with SHA-512.

    $rounds = 5000
$cryptedPwd = crypt($password, '$6$rounds=' . $rounds . '$SOMeSILLySTrInG$');

    To decrypt :

    $pwdEntered = trim($_POST['password']);
if (crypt($pwdEntered, $pwdHashed) == $pwdHashed){
// do something
}

    You can also add a bruteforce protection, maybe with a logfile ...

    I advise you to use PDO instead of normal mysql connect.

    评论

报告相同问题?

悬赏问题

  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)