6

I currently have a standard login form like this:

<?php
if( isset( $_POST['username], $_POST['password'] ) ) {
    // escape both strings and compare them to database
}

?>
<form action="" method="post">
    <input type='text' value='username' name='username'></input>
    <input type='password' value='password' name='password'></input>
    <input type='submit' value='submit'></input>
</form>

I want to move to AJAX, so the new page doesn't refresh. This is my new method:

<script>
function login_ajax() {
     var formdata = new FormData();
     var ajax = new XMLHttpRequest();
     formdata.append('username', document.getElementById('username').value;
     formdata.append('password', document.getElementById('password').value;
     ajax.open( "POST", "https://my-website.com/login_validation.php" );
     ajax.onreadystatechange = function() {
         if(ajax.readyState == 4 && ajax.status == 200) {
             // do something
         }
    }
    ajax.send( formdata );
}

</script>
?>
<form action="" method="post" onsubmit='login_ajax(); return false;'>
    <input type='text' value='username' id='username'></input>
    <input type='password' value='password' id='password'></input>
    <input type='submit' value='submit'></input>
</form>

And my login_validation.php looks like this:

<?php
if( isset ( $_POST['username'], $_POST['password'] ) ) {
    // escape strings compare to database and sign on

}

Is the second method less secure than the first?

Tim von Känel
  • 197
  • 1
  • 8
  • 1
    `escape strings compare to database and sign on` implies to me that you're not hashing passwords. If that's the case, please read [this](https://security.stackexchange.com/a/31846/151903) and do things properly (preferably by using [`password_hash`](http://php.net/manual/en/function.password-hash.php)). – AndrolGenhald Apr 17 '18 at 14:53
  • ty, im using the wordpress wp_sign_on and wp_insert_user functions, it hashes and salts it automatically for me – Tim von Känel Apr 17 '18 at 16:59

2 Answers2

7

They are both equally secure. There are mistakes you could make in any version, but none is inherently better than the other.

What is relevant for the security of your login is the server side. You can put no security restrictions on the client, since any such restrictions could be trivially bypassed. So the important thing here is the code on the server side doing the validation. And that's the same for both options here - it checks that it's a POST request, and check if the username and password are correct.

Anders
  • 65,052
  • 24
  • 180
  • 218
3

Like Anders said, it doesn't really matter - Be it AJAX or non-AJAX. The main security principles rely on how you secure the codes. OWASP Testing Guide is a good start for you to take a look.

Please find two sections related to Login functionality:

https://www.owasp.org/index.php/Testing_Identity_Management

https://www.owasp.org/index.php/Testing_for_authentication

yehg.net
  • 56
  • 1