1

I'm wondering why AJAX is not used to log in nor register in most of the pages and it's used PHP reloading the whole page. Is it about security, or it's just that it's not practical at all?

Vilican
  • 2,703
  • 8
  • 21
  • 35
jogan
  • 23
  • 5
  • 2
    Potentially you could just use one single web page for your entire website and use ajax to serve different content to the user... potentially. – hownowbrowncow Jun 29 '15 at 20:52
  • 1
    AJAX logic is performed on the client-side, which is a bad place for security. PHP is executed server-side. – schroeder Jun 29 '15 at 21:50
  • I've read that if AJAX is correctly aplied is almost as secure as PHP, is that false? [Is ajax fundamentally insecure? | stackexchange.com](http://security.stackexchange.com/questions/2486/is-ajax-fundamentally-insecure) – jogan Jun 29 '15 at 22:30
  • Depends on the task. Can't use it for authentication or whenever else a lying client would cause problems. Using it for basic data processing is fine. – Natanael Jun 30 '15 at 08:25
  • @Natanael Are you perhaps confusing JavaScript with AJAX? AJAX is just another means of making a request to the server. Doesn't matter if the client lies as long as the server doesn't trust the client. I don't see how the request being made with AJAX changes that at all. The client can lie using a regular form submission just as easily as it can through an AJAX request. – Ajedi32 Jul 02 '15 at 13:49
  • @Ajedi32 not trusting the client was my point. The server must confirm the results – Natanael Jul 06 '15 at 14:09
  • @Natanael Ah okay. I think we're on the same page. What did you mean then when you said that you "can't use it [AJAX] for authentication"? You absolutely can use AJAX for authentication; the server just has to confirm the results (as with any other request). Submitting login credentials via AJAX is really no different than submitting them via a form, right? – Ajedi32 Jul 06 '15 at 14:19
  • @Ajedi32 if you let the client tell you if auth succeeded or not, you've got problems. Didn't comment exclusively on Ajax – Natanael Jul 06 '15 at 18:44

1 Answers1

4

I'm wondering why AJAX is not used to log in nor register in most of the pages and it's used PHP reloading the whole page. Is it about security, or it's just that it's not practical at all?

Ajax is not a special thing regarding the transport of the login data, because it is a HTTP request done in the background instead of the foreground. Thus if done correctly the security should be the same.

But, with a normal foreground HTTP request you update the full page and thus take the current browser tab fully into a different security level (i.e. logged in vs. logged out). With Ajax you update only part of this page. If you are not careful you might mix this way content from different security levels on the same page so that data from different security realms might interact with each other.

Thus using a new page instead of updating an existing page is not only the more simple approach but also the one where it is easier to verify that everything was done correctly.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424