Ajax to PHP Login Script Secure Ajax to PHP Login Script Secure php php

Ajax to PHP Login Script Secure


javascript php ajax password-protection

To be secure you need to ensure at minimum three things:

  1. The input box, type=passwordThe user control in which the user enters the password is a password input type, or custom control designed for this purpose which has been sufficiently validated for not caching, etc.
  2. The connection, httpsIn its current state, your question does not mention whether or not the connection is over https. It is more secure if the login box itself is displayed through a secure connection. In addition the ajax needs to post across the secure connection.
  3. Hash passwords properlyUse the native PHP password hashing API and hash passwords and store the hash in your database. Verify input passwords by using the password_verify function.password_hash() password_verify()

To do it "right" you should also consider:

  1. Control the rate and number of failed login requests.
  2. Record login statistics so that you can identify strange behavior and investigate it
  3. Use browser side AND server side password strength testing to validate users' new passwords as being strong enough.
  4. Use captcha to prevent pedestrian automation

  5. Create a database user especially for authentication. Limit table/schema access accordingly. Use a separate subdomain for authentication. Use fastcgi-php or suphp to set the user for auth access to the database. Allow normal PHP database user to only read a semaphore or other login state credential from this "sandbox."

  6. When users are entering their passwords, use site verification, ssl, and a verification "phrase" or picture they set when they created their account so they can be sure they are inputing to your server.

Additionally, most security concerns are going to be involved in what you do after the login. How do you plan to maintain the user's session? Greater security usually requires compromising convenience to the user. You need to consider carefully what type of abilities and information the user will have access to once authenticated. Your security plan should take that into account.

An alternative you might consider is using OAuth2 providers such as Google and Facebook.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last