rlm@0: Creating a secure login system using XMLHttpRequest
rlm@0:
rlm@0:
This is an example of a login system that does not require page refreshes, but is still very secure. Valid
rlm@0: usernames and passwords for this demo are user1/pass1 and user2/pass2. Try these, and also incorrect passwords
rlm@0: to see the results.
rlm@0:
rlm@0:
Please note that this is not a functional form, your input will not go anywhere. It is solely for demonstrating
rlm@0: an XMLHttpRequest login system in javascript.
rlm@0:
rlm@0:
Advantages
rlm@0:
rlm@0:
User does not need to refresh the page to login.
rlm@0:
User is notified instantly on incorrect username/password combination.
rlm@0:
Overall user experience is more seamless.
rlm@0:
Password is not sent in plain text ever (more secure than traditional system).
rlm@0:
Javascript convenience with server-side security (uses PHP/MySQL).
rlm@0:
Uses one-time use random seed to hash the password before sending (making interceptions useless).
rlm@0:
rlm@0:
rlm@0:
Disadvantages
rlm@0:
rlm@0:
System is more prone to brute force attacks.
rlm@0:
Can be minimized by adding a delay after a certain number of attempts per username or per client.
rlm@0:
User may expect a login button.
rlm@0:
One could still be added without reloading the page.
rlm@0:
Older versions of Safari cannot disable a password field.
rlm@0:
This code uses the MD5 encryption algorithm, which has since been proven to be less secure than previously thought. If you use this code, I strongly recommend you switch to a more secure encryption algorithm, such as SHA-1. For sites were security is not crucial, MD5 should suffice.
Can I copy your code?
rlm@0: Sure, although I'd recommend you rewrite it as you go so you can actually learn
rlm@0: something useful. Also, passing someone else's code as your own is just uncool.
rlm@0:
rlm@0:
Why didn't you use [insert technology here]?
rlm@0: Basically I haven't done web development in close to a year, so I used what I knew best
rlm@0: (PHP/MySQL) and used the Javascript that I remembered, along with a little bit of
rlm@0: refreshing my memory. Perhaps I should have used object-oriented PHP or Javascript, but
rlm@0: this works. If it is slightly confusing, I apoligise, this is only meant as a proof-of-concept.