Friday, December 12, 2014

A Real Ajax Login System

Dashed borders lets you know this is
hard core web design.
Demo | Source

After a bit of Google searching, I could not find the login system I want. I would say 'fit my needs', but that's not accurate. There were tons that could fit the need, but I want a back end php system that allows a user to login by way of ajax calls. Specifically one that didn't require all my file names to end in .php. Is that necessary? No. Is that being picky? Probably. Is it fun to make it work anyway? Of course.

There are plenty of php ajax style login systems and examples out there. I started with this one from 9lessons.

I have no right to complain about other people's work, but wow this code is hard to read and inconsistent. It works though, so I chose to clean it up and start making changes.

DISCLAIMER: I would like to note I am not a security expert. While I feel this system is decent enough, I cannot advise using it in a real application environment.

Here is a demo, note all pages end in html. You can log in with demouser and password, but check out the registration. That's where most of the magic is.



The demo stored passwords as an MD5 hash--at least it's not plain text, but I thought it would be worth while to change this to use PHP's password_hash and password_verify functions. This effectively made the minimum PHP version requirement 5.5.0, which wasn't a problem at home, but for the demo I had to include this library to make it work with 5.4.0 (Dreamhost!).

I also changed the database connector to PDO instead of mysqli. This way it can be used with any database (changeable in the config.php file). This has the advantage of not be vulnerable to sql injection.

The biggest reason for the security disclaimer above is I am not sure of the security risks posed with passing php session data to the browser. When a user logs in, the session is created from php/login.php. This requires sending an HTTP post, which contains the user's entered password. There is probably a better way, but this works for now. If the username is found and the password is verified, the record for that user (except for the password hash) is sent back to the browser as a JSON object. In the demo you can see this in the console after logging in.

I recently finished a database course, so in many ways I'd like to use some real data constraints. I find theory and practice don't align well here. I maintain the username uniqueness by simply not allowing a user to register with a name that already exist. I came up with a real time validation on the registration page. As a user types, if the value matches a username in the database the registration button doesn't enable.

I know what you are thinking.

James ...
You're making it easy for the hackers to find out all your usernames!

Yes that is true, but my response is "who cares?" Really, why should user names be private?

There is a balance to be had between security and user friendly.

Most website will not tell a user which is wrong between the username or password on a failed login attempt. The idea is a hacker won't know know if the username is valid. BUT anyone can find out if a username is there simply by trying to register that name. Now they know all their hackory is not wasted on an invalid username.

Security should come from within the system. If a user fails to log in after so many attempts, red flags should be raised. A brute force attack can be thwarted with a 5 second lock out between attempts. Doesn't sound like much but when you have the hardware to brute force a billion passwords per minute and then limit it to 12 per minute... those guys will go somewhere else. A normal user will not even notice. That being said, there is no timer lock out on failed attempts in this demo (yet).

That's my two cents on security.

I plan to add more to this in the future. Feedback is appreciated, as always. :)










15 comments:

Unknown said...

Omg, thank you very very very much!!! Im gonna use it

jacqulinedcruz said...

That's what I'm looking for no doubt you provide such useful information about development and Psychology Homework Help USA, I really appreciate your efforts.

marketing essay writing service said...

Without a doubt, that's what I'm looking for, and you offer such insightful information on growth and marketing, so I really appreciate your work.

Michael Wade said...

Thank you for another amazing post make blog on business sustainability dissertation topics

Anonymous said...

A multitude of slots can well be expected from on-line casinos. However, the most shocking factor here is slot tournaments, which supplies excessive probabilities of winning giant payouts. Moreover, it's a lot more entertaining and available than the land-based casinos. Thus, on-line slots have really amplified the likelihood of winning jackpots, clearly indicating one other 카지노사이트 advantage for gamblers.

joe_chef90 said...

I think the top mobile game developers are doing a great job when it comes to developing games that are user-friendly and have a great login system. The login system is a great way to keep track of who's playing the game and to prevent any cheating. It also ensures that only the right people have access to the game and that the game is secure. Overall, I think it's great that mobile game developers are taking security seriously and making sure the games they develop are safe to play.

computer cables and adapters said...

This is an awesome tool! With its help, users can log in to websites faster and more securely than ever. It's also great for developers because it allows them to create custom login experiences without having to write extra code. Thanks for sharing this great technology!

allan bennett said...

As of my last knowledge update in September 2021, Geekwagon is a website that offers a collection of interactive and playable text-based games, often referred to as "Choose Your Own Adventure" games. These games allow users to make choices that influence the outcome of the story.

Since my information might be outdated, and I don't have real-time access to the internet, I recommend that you visit the Geekwagon website directly or search for recent reviews or discussions related to Geekwagon to get the most up-to-date information and insights. Here's how you can go about finding reviews.abogado de flsa de jersey sur

Kingston said...

Abogado de Accidentes de Motocicleta Virginia
The Ajax login system is impressive, offering a seamless and efficient user experience. The code is secure, protecting user data. The interface is intuitive and user-friendly, making it easy for users to access their accounts. The detailed comments and documentation in the code are helpful for anyone looking to understand or modify the system. Overall, the Ajax login system is a valuable addition to web development resources, showcasing significant effort in creating a robust solution.

Jonnybairstow said...

As of September 2021, there is no specific information or reviews about "geekwagon.net." It's possible that the website is not well-known or was created after that. To find reviews, conduct an online search or visit the website directly. Check for user reviews, testimonials, and other relevant information on forums, social media platforms, or other websites where users discuss and share their experiences with "geekwagon.net" or its services.
divorce lawyers fairfax va

Parker said...

Abogado de Accidentes de Motocicleta en Virginia Beach
The article "A Real Ajax Login System" is a comprehensive guide on creating a real Ajax login system, providing detailed and user-friendly instructions for beginners. The tutorial emphasizes security, user experience, and the use of Ajax for login functionality. It stands out for its clarity and thoroughness, making it perfect for developers at any skill level. The code samples and explanations in the tutorial are incredibly helpful, making it a hands-on learning experience. The tutorial's focus on best practices and error handling sets it apart, ensuring developers are well-prepared for real-world scenarios. The use of PHP and JavaScript in the tutorial is well-balanced, making it accessible to a wide audience of developers. The tutorial has been shared with fellow developers, who found it to be a valuable resource for enhancing their web applications. The real-world examples and troubleshooting tips provided are invaluable, helping developers overcome common challenges with ease. The author is commended for demystifying Ajax login systems, empowering developers to create more dynamic and user-friendly websites. This tutorial is a must-read for anyone looking to upgrade their website with Ajax-powered login functionality. It is a gem in the world of web development, and the author's positive feedback is a testament to its effectiveness.

Brookyln said...

I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing. I also wanna talk about used yacht for sale florida.

james anderson said...

Great job on developing a real Ajax login system! Your attention to detail and commitment to refining the code for security and flexibility is commendable. Looking forward to exploring the demo
Protección Orden Nueva Jersey

samuel said...

The review for "A Real Ajax Login System" requires more details about the user's experience. The review should focus on the system's ease of setup, functionality, security, and recommendations. It should also include specific features, ease of use, and unique advantages. Any issues or limitations should be addressed. The review should be honest, objective, and avoid personal attacks. It should also be proofread before submission. The review aims to help others make informed decisions about the system.
flsa lawyer

jamesanderson said...

Impressive work on creating a real Ajax login system! Your commitment to enhancing the code, implementing password security, and using PDO for database connection showcases your dedication to improving functionality. Well done!
File Divorce in New York city