robert@0
|
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
|
robert@0
|
2 "http://www.w3.org/TR/html4/loose.dtd">
|
robert@0
|
3 <html>
|
robert@0
|
4 <head>
|
robert@0
|
5 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
robert@0
|
6 <title>AJAX Login System Demo</title>
|
robert@0
|
7 <script src="md5.js" type="text/javascript">
|
robert@0
|
8 // javascript md5 encoder originated from <http://pajhome.org.uk/crypt/md5/>
|
robert@0
|
9 // used under license as outlined at <http://pajhome.org.uk/site/legal.html>
|
robert@0
|
10 // Copyright (c) 1998 - 2002, Paul Johnston & Contributors
|
robert@0
|
11 // All rights reserved.
|
robert@0
|
12 </script>
|
robert@0
|
13 <script src="xml_http_request.js" type="text/javascript">
|
robert@0
|
14 // xml http request script modified slightly from that found at
|
robert@0
|
15 // <http://www.webpasties.com/xmlHttpRequest/index.html>, which is
|
robert@0
|
16 // Copyright 2005 Bill Bercik.
|
robert@0
|
17 </script>
|
robert@0
|
18 <script src="login_controller.js" type="text/javascript"></script>
|
robert@0
|
19 <script src="login_presentation.js" type="text/javascript"></script>
|
robert@0
|
20 <link rel="stylesheet" href="login.css" type="text/css" />
|
robert@0
|
21 </head>
|
robert@0
|
22
|
robert@0
|
23 <body>
|
robert@0
|
24
|
robert@0
|
25 <h1>AJAX Login System Demo</h1>
|
robert@0
|
26 <strong>Creating a secure login system using XMLHttpRequest</strong>
|
robert@0
|
27
|
robert@0
|
28 <p>This is an example of a login system that does not require page refreshes, but is still very secure. Valid
|
robert@0
|
29 usernames and passwords for this demo are user1/pass1 and user2/pass2. Try these, and also incorrect passwords
|
robert@0
|
30 to see the results.</p>
|
robert@0
|
31
|
robert@0
|
32 <p>Please note that this is not a functional form, your input will not go anywhere. It is solely for demonstrating
|
robert@0
|
33 an XMLHttpRequest login system in javascript.</p>
|
robert@0
|
34
|
robert@0
|
35 <h2>Advantages</h2>
|
robert@0
|
36 <ul>
|
robert@0
|
37 <li>User does not need to refresh the page to login.</li>
|
robert@0
|
38 <li>User is notified <em>instantly</em> on incorrect username/password combination.</li>
|
robert@0
|
39 <li>Overall user experience is more seamless.</li>
|
robert@0
|
40 <li>Password is not sent in plain text <em>ever</em> (more secure than traditional system).</li>
|
robert@0
|
41 <li>Javascript convenience with server-side security (uses PHP/MySQL).</li>
|
robert@0
|
42 <li>Uses one-time use random seed to hash the password before sending (making interceptions useless).</li>
|
robert@0
|
43 </ul>
|
robert@0
|
44
|
robert@0
|
45 <h2>Disadvantages</h2>
|
robert@0
|
46 <ul>
|
robert@0
|
47 <li>System is more prone to brute force attacks.
|
robert@0
|
48 <ul><li>Can be minimized by adding a delay after a certain number of attempts per username or per client.</li></ul></li>
|
robert@0
|
49 <li>User may expect a login button.
|
robert@0
|
50 <ul><li>One could still be added without reloading the page.</li></ul></li>
|
robert@0
|
51 <li>Older versions of Safari cannot disable a password field.</li>
|
robert@0
|
52 <li><strong>This code uses the MD5 encryption algorithm, which has since been proven to be less secure than previously thought. If you use this code, I strongly recommend you switch to a more secure encryption algorithm, such as SHA-1.</strong> For sites were security is not crucial, MD5 should suffice.</li>
|
robert@0
|
53 </ul>
|
robert@0
|
54
|
robert@0
|
55 <h2>Demonstration</h2>
|
robert@0
|
56
|
robert@0
|
57 <div id="post_comment">
|
robert@0
|
58 <form action="post" onSubmit="return false">
|
robert@0
|
59 <div id="login" class="login">
|
robert@0
|
60 <label for="username">Username: </label>
|
robert@0
|
61 <input type="text" name="username" id="username" size=20>
|
robert@0
|
62 <label for="password">Password: </label>
|
robert@0
|
63 <input type="password" name="password" id="password" size=20>
|
robert@0
|
64 <p id="message">Enter your username and password to log in.</p>
|
robert@0
|
65 </div>
|
robert@0
|
66 <label for="comments">Comments:</label>
|
robert@0
|
67 <textarea rows="6" cols="80" id="comments"></textarea>
|
robert@0
|
68 </form>
|
robert@0
|
69 </div>
|
robert@0
|
70
|
robert@0
|
71 <h2>Source</h2>
|
robert@0
|
72 <ul>
|
robert@0
|
73 <li><a href="login.html">login.html</a></li>
|
robert@0
|
74 <li><a href="login.css">login.css</a></li>
|
robert@0
|
75 <li><a href="login_controller.js">login_controller.js</a></li>
|
robert@0
|
76 <li><a href="login_presentation.js">login_presentation.js</a></li>
|
robert@0
|
77 <li><a href="xml_http_request.js">xml_http_request.js</a></li>
|
robert@0
|
78 <li><a href="md5.js">md5.js</a></li>
|
robert@0
|
79 <li><a href="login.phps">login.php</a></li>
|
robert@0
|
80 </ul>
|
robert@0
|
81
|
robert@0
|
82 <h2>Questions</h2>
|
robert@0
|
83 <p><strong>Can I copy your code?</strong><br>
|
robert@0
|
84 Sure, although I'd recommend you rewrite it as you go so you can actually learn
|
robert@0
|
85 something useful. Also, passing someone else's code as your own is just uncool.
|
robert@0
|
86 </p>
|
robert@0
|
87 <p><strong>Why didn't you use [insert technology here]?</strong><br>
|
robert@0
|
88 Basically I haven't done web development in close to a year, so I used what I knew best
|
robert@0
|
89 (PHP/MySQL) and used the Javascript that I remembered, along with a little bit of
|
robert@0
|
90 refreshing my memory. Perhaps I should have used object-oriented PHP or Javascript, but
|
robert@0
|
91 this works. If it is slightly confusing, I apoligise, this is only meant as a proof-of-concept.</p>
|
robert@0
|
92 <hr>
|
robert@0
|
93 <p>Created: 28 Jan 2005.</p>
|
robert@0
|
94 <p>Last updated: 1 Dec 2005. Copyright © 2005.
|
robert@0
|
95 </body>
|
robert@0
|
96 </html>
|