Friday, December 12, 2014

A Real Ajax Login System

Dashed borders lets you know this is
hard core web design.
Demo | Source

After a bit of Google searching, I could not find the login system I want. I would say 'fit my needs', but that's not accurate. There were tons that could fit the need, but I want a back end php system that allows a user to login by way of ajax calls. Specifically one that didn't require all my file names to end in .php. Is that necessary? No. Is that being picky? Probably. Is it fun to make it work anyway? Of course.

There are plenty of php ajax style login systems and examples out there. I started with this one from 9lessons.

I have no right to complain about other people's work, but wow this code is hard to read and inconsistent. It works though, so I chose to clean it up and start making changes.

DISCLAIMER: I would like to note I am not a security expert. While I feel this system is decent enough, I cannot advise using it in a real application environment.

Here is a demo, note all pages end in html. You can log in with demouser and password, but check out the registration. That's where most of the magic is.

The demo stored passwords as an MD5 hash--at least it's not plain text, but I thought it would be worth while to change this to use PHP's password_hash and password_verify functions. This effectively made the minimum PHP version requirement 5.5.0, which wasn't a problem at home, but for the demo I had to include this library to make it work with 5.4.0 (Dreamhost!).

I also changed the database connector to PDO instead of mysqli. This way it can be used with any database (changeable in the config.php file). This has the advantage of not be vulnerable to sql injection.

The biggest reason for the security disclaimer above is I am not sure of the security risks posed with passing php session data to the browser. When a user logs in, the session is created from php/login.php. This requires sending an HTTP post, which contains the user's entered password. There is probably a better way, but this works for now. If the username is found and the password is verified, the record for that user (except for the password hash) is sent back to the browser as a JSON object. In the demo you can see this in the console after logging in.

I recently finished a database course, so in many ways I'd like to use some real data constraints. I find theory and practice don't align well here. I maintain the username uniqueness by simply not allowing a user to register with a name that already exist. I came up with a real time validation on the registration page. As a user types, if the value matches a username in the database the registration button doesn't enable.

I know what you are thinking.

James ...
You're making it easy for the hackers to find out all your usernames!

Yes that is true, but my response is "who cares?" Really, why should user names be private?

There is a balance to be had between security and user friendly.

Most website will not tell a user which is wrong between the username or password on a failed login attempt. The idea is a hacker won't know know if the username is valid. BUT anyone can find out if a username is there simply by trying to register that name. Now they know all their hackory is not wasted on an invalid username.

Security should come from within the system. If a user fails to log in after so many attempts, red flags should be raised. A brute force attack can be thwarted with a 5 second lock out between attempts. Doesn't sound like much but when you have the hardware to brute force a billion passwords per minute and then limit it to 12 per minute... those guys will go somewhere else. A normal user will not even notice. That being said, there is no timer lock out on failed attempts in this demo (yet).

That's my two cents on security.

I plan to add more to this in the future. Feedback is appreciated, as always. :)


Unknown said...

Omg, thank you very very very much!!! Im gonna use it

business analytics course in chennai with placement said...

Very awesome!!! When I seek for this I found this website at the top of all blogs in search engine. Data Scientist Course in Chennai

jacqulinedcruz said...

That's what I'm looking for no doubt you provide such useful information about development and Psychology Homework Help USA, I really appreciate your efforts.

business analytics course in chennai with placement said...

pleasant bLog! its fascinating. much obliged to you for sharing Business Analytics Course in Dombivli

business analytics course in chennai with placement said...

Someone Sometimes with visits your blog regularly and recommended it in my experience to read as well.Data Science Course in Dombivli

business analytics course in chennai with placement said...

I truly like you're composing style, incredible data, thankyou for posting.Data Scientist Course in Vadodara

business analytics course in chennai with placement said...

Impressive. Your story always bring hope and new energy. Keep up the good work. Data Science Training in Chennai

Data Analytics Course in Dehradun said...

There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job! Data Science Training in Dehradun

business analytics course in chennai with placement said...

This is a wonderful article, Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck. Data Science Course in Dehradun

marketing essay writing service said...

Without a doubt, that's what I'm looking for, and you offer such insightful information on growth and marketing, so I really appreciate your work.

Michael Wade said...

Thank you for another amazing post make blog on business sustainability dissertation topics

Anonymous said...

A multitude of slots can well be expected from on-line casinos. However, the most shocking factor here is slot tournaments, which supplies excessive probabilities of winning giant payouts. Moreover, it's a lot more entertaining and available than the land-based casinos. Thus, on-line slots have really amplified the likelihood of winning jackpots, clearly indicating one other 카지노사이트 advantage for gamblers.

joe_chef90 said...

I think the top mobile game developers are doing a great job when it comes to developing games that are user-friendly and have a great login system. The login system is a great way to keep track of who's playing the game and to prevent any cheating. It also ensures that only the right people have access to the game and that the game is secure. Overall, I think it's great that mobile game developers are taking security seriously and making sure the games they develop are safe to play.

abogado de accidentes de semi camiones said...

I appreciate you sharing this blog. Very de accidentes de semi camiones