Is it safe to use GET method in XMLHTTPRequest for login?

Forum Moderators: open

Message Too Old, No Replies

Is it safe to use GET method in XMLHTTPRequest for login?

smagdy

11:28 am on Apr 13, 2008 (gmt 0)

Hello!

Is it safe to use GET method in XMLHTTPRequest for login or I must use POST method?

Thanks in advance

smagdy

1:33 pm on Apr 14, 2008 (gmt 0)

Anybody please ?

Fotiman

3:12 pm on Apr 14, 2008 (gmt 0)

Short answer: No, it's not safe. Use POST.

httpwebwitch

6:17 pm on Apr 14, 2008 (gmt 0)

GET or POST - the difference is actually minimal. Fotiman's "short answer" is right, GET is easier to intercept, and easier to hack, but only because GET requests can be contrusted using a browser by just about anyone; GET information appears in the logs, and to construct a fake POST you usually need to use some other tool.

What matters more than your XHR method is that you're not using a Javascript variable to verify authentication. Security must happen at the server - with no exception. If your client-side code contains a variable like "is_admin", I can easily (I mean, really easy, trust me) change that from "false" to "true" using widely available debugging tools.

Unless you know what you're doing, authentication and AJAX are not a good mix. That said, secure authentication via AJAX *is* possible, but it's easy to do badly, so I normally don't recommend it.

Instead of XmlHttpRequest for your login form, why not just use an old-fashioned <form method=post>, and a submit button?

edited typo

smagdy

6:43 pm on Apr 14, 2008 (gmt 0)

Thanks, I will use normal login :)

but i want to know if I used GET method and received the username and password in Javascript then pass it to PHP file and check it in the database with mysql_real_escape_string and if correct then set sessions else send error.... then how can it be hacked?

Thanks again!

httpwebwitch

7:41 pm on Apr 14, 2008 (gmt 0)

pass it to PHP file and check it in the database with mysql_real_escape_string and if correct then set sessions

You're using sessions instead of a client-side variable, and mysql_real_escape_string - I think you'll be OK.

If you have Web Service like http://example.com/checkpassword.php?u=&p=, make sure it's not vulnerable to a SQL injection (mysql_real_escape_string = good!), or else a hacker could use that to steal your entire db of passwords.

here is what claims to be good authentication via XHR [ajaxpatterns.org]

Fotiman

3:06 pm on Apr 15, 2008 (gmt 0)

but i want to know if I used GET method and received the username and password in Javascript then pass it to PHP file and check it in the database with mysql_real_escape_string and if correct then set sessions else send error.... then how can it be hacked?

When you pass the values (via a GET or via a POST), they are sent as plain text, which means that anyone sniffing on HTTP traffic between you and your server can easily see the username and password that you are sending. You want to make sure that you're transmitting over a secure (SSL) connection, meaning the protocol used should be https instead of http.