I have produced a login system which uses a basic ajax request and some feedback, and its working well (code is at the bottom).
Apart from hashing and salting passwords which I'm about to put in (so don't get hung up on that), what are the security implications of using Ajax/jQuery to handle these requests: Most importantly:
What is the general view when it comes to this being JS dependant as opposed to pure PHP - do people put in redundancies, is it legitimate to simply say this is a JS only site (a huge amount of the website is based on the Twitter bootstrap, so its kinda reliant on JS).
Is my PHP and JS interfacing in the correct way? (and will my cookie still work?)
How can I create a secure way to now use jQuery .load() to bring in my content upon successful login?
-
Any general advice on making my system secure?.
$(function login() { $("form .button").click(function () { // getting form values and assigning variable names var username = $("form #username").val(); var password = $("form #password").val(); var remember = $("form #remember").val(); // concatenating variables to form the data used by the Ajax post method var dataString = 'username=' + username + '&password=' + password + '&remember=' + remember; // begin Ajax post function $.ajax({ type: "POST", url: "controls/login/process.php", data: dataString, success: function (response) { if (response == 'success') { alert("SUCCESS"); } else { $('.alert').find('span').text('Incorrect username or password'); $('.alert').addClass('alert-error').fadeIn('fast'); } }, error: function () { $('.alert').find('span').text('An error occured, try again'); $('.alert').addClass('alert-error').fadeIn('fast'); } }); return false; }); });
This interfaces with
<?php
session_start();
// Starting the session
require '../../tools/db/connect.php';
// Including the database connection file
session_set_cookie_params(2*7*24*60*60);
// Making the cookie live for 2 weeks
if($_SESSION['reference'] && !isset($_COOKIE['unifyLogin']) && !$_SESSION['remember']){
// If you are logged in, but you don't have the cookie and you have not checked the remember checkbox (a browser restart), destroy the session
$_SESSION = array();
session_destroy();
echo "expired";
}
$_POST['username'] = mysql_real_escape_string($_POST['username']);
$_POST['password'] = mysql_real_escape_string($_POST['password']);
$_POST['remember'] = (int)$_POST['remember'];
// Escaping all input data
$row = mysql_fetch_assoc(mysql_query("SELECT ID,REFERENCE FROM USER WHERE USERNAME='{$_POST['username']}' AND PASSWORD='{$_POST['password']}'"));
if($row['REFERENCE']) {
$_SESSION['secure'] = false;
// If everything is OK login
$_SESSION['id'] = $row['ID'];
$_SESSION['reference'] = $row['REFERENCE'];
$_SESSION['remember'] = $_POST['remember'];
// Store some data in the session
setcookie('unifyLogin',$_POST['remember']);
// We create the cookie
echo "success";
} else {
echo "failure";
}
?>