0

On many places (Google, Yahoo, Stack Exchange... ) I found that Ajax coding (for example php+Ajax login system) is not, and cannot be secure enough. So many reserve about Ajax security, and nowhere you can find an example of secure Ajax code.

At the same time, all this sites (even Facebook, Twitter...) USES a lot of Ajax code, for registering and loging users, for commenting features etc. Seems like Top Secret matter.
So, could someone show an example of secure php-Ajax code ?

Alegro
  • 7,534
  • 17
  • 53
  • 74
  • 4
    AJAX is a regular http request. There is **nothing** special for protection of ajax enpoints in comparison to other pages. – zerkms Dec 28 '12 at 07:25
  • @zerkms, if there is nothing special, why is impossible to find a valid example code. For regular php loging, registering, etc. there are a lot of examples. – Alegro Dec 28 '12 at 07:28
  • 1
    it's not possible to find because there is nothing specific to AJAX. You just write the same code as you do for other pages – zerkms Dec 28 '12 at 07:30
  • Though i have not used in any of my application, i have heard about SAJA. You can surf the net for SAJA. Just a suggestion. Check this out. http://saja.sourceforge.net/ – Bhavik Shah Dec 28 '12 at 07:35
  • 1
    @Bhavik Shah: I say that not frequently, but now it's the time: that thing is a piece of sh!t – zerkms Dec 28 '12 at 07:37
  • @zerkms: Ok. I have mentioned that i have not used and just heard about it. I have not forced Alegro to use it. He can make decision on his own. I just wrote what i know that MIGHT help him. Btw, just a question out of curiosity, can you please tell why SAJA is a piece of sh!t? Really, i dont know. So, i am asking. It would be great if you can lead me somewhere. – Bhavik Shah Dec 28 '12 at 07:40
  • @zerkms, you comments shows the things as i described. Each code is a piece of shit... Could you refer a link to code which is NOT a piece of shit. – Alegro Dec 28 '12 at 07:40
  • @Alegro: I'm here not to convince you about anything. I've replied to you. I said twice - there is nothing special in ajax. You think you know it better - ok, good luck with that. – zerkms Dec 28 '12 at 07:41
  • @Bhavik Shah: because there is no such thing as a "secure" or "insecure" ajax. It's just a http request, nothing more. – zerkms Dec 28 '12 at 07:42
  • @zerkms, thankyou. You answering on question which is not my question. – Alegro Dec 28 '12 at 07:44
  • @BhavikShah: I wonder if you even checked the demo(which doesn't work, by the way) on their page. Useless piece of junk it is. – Fr0zenFyr Dec 28 '12 at 07:44
  • @Alegro: you want a direct answer on your the only question? No problem: ` – zerkms Dec 28 '12 at 07:45
  • @Fr0zenFyr: Ok friends. It was just a suggestion. I have already mentioned in my comment that i have never used it and had just heard about it. I dont understand this. Thanks anyways for informing me about this piece of sh!t. ahhahaha – Bhavik Shah Dec 28 '12 at 07:48
  • Bhavik, you should say, `excuse me` and not `ahahah` – Alegro Dec 28 '12 at 07:49

1 Answers1

0

An AJAX request is just like a normal browser request, just in the background. So if you would normally have a login form that posts data to your checklogin.php, you can do the same with AJAX and its equally secure.

Another thing to keep in mind is with cross site javascript calls. This is used for example when you are creating apps on facebook to transfer data from/to your server. These request have to be signed to make sure the data is comming from a valid source. This is done by using a secret and public key. These sites use oauth to handle these request. You can also implement this in your own site, but for any regular authentication (login/post messages/etc) this will not be needed. Just code like you would if it were a regular request.

Hugo Delsing
  • 13,803
  • 5
  • 45
  • 72
  • 1
    @Alegro: isn't it the same I said in the comments? ;-) – zerkms Dec 28 '12 at 07:45
  • @zerkms, of course, it's not the same. Hugo's post is an explanation. Your comments are just statements. – Alegro Dec 28 '12 at 07:47
  • In a way yes, but If you think you are providing the correct awnser, why not add it as the awnser? – Hugo Delsing Dec 28 '12 at 07:48
  • @Hugo Delsing: just because I don't know what to write else. You have added totally irrelevant paragraph about OAuth. I cannot add something irrelevant just to have my answer to look "solid". – zerkms Dec 28 '12 at 07:49
  • 1
    @HugoDelsing: Your answer is more of a comment than an answer. The question is about "secure" AJAX (which of course is pointless). – Fr0zenFyr Dec 28 '12 at 07:51
  • There are no rules about the length of the awnser. if your awnser is "Nothing special about ajax" and its valid, then it will be accepted as the awnser. But imo if you know what you are talking about that is enough, but considering he is asking about it, he likes an awnser with just a bit more explaining to make it understandable. – Hugo Delsing Dec 28 '12 at 07:54
  • 1
    Umm... @Fr0zenFyr and zerkms, just cool down. The question isn't pointless even though AJAX requests are standard HTTP requests, and bashing other people here doesn't add any value... – eis Dec 28 '12 at 07:54
  • Fr0zenFyr> You are saying we should have send in an awnser saying "No" and that would be helpful to anybody? Just awnsering the question is not what this site is about. Its about helping people understand. – Hugo Delsing Dec 28 '12 at 07:55
  • @eis: the question isn't pointless indeed. What pointless - is repeating the same 3 times in the comments. And being satisfying with the answer which contains the same statement and irrelevant paragraph about OAuth ;-) Well, to have the answer bigger there are a lot of authentication and authorization protocols left, let's mention them all here as well - it would be great, won't it? – zerkms Dec 28 '12 at 07:56
  • @HugoDelsing you might want to add a note to answer that if https is used, for some browsers both AJAX request protocol and parent page protocol must match for the thing to work, or other measures must be used, so in that sense it is not identical. See [this thread](http://stackoverflow.com/questions/1012777/https-request-via-ajax-from-http-page) and [this thread](http://stackoverflow.com/questions/1105934/ajax-using-https-on-an-http-page) for details. – eis Dec 28 '12 at 08:01
  • Eis > arent those threads just about cross site scripting? The problem is the cross domain request. That one is http and the other https might be bad for users trusts, but its not blocked as far as I know – Hugo Delsing Dec 28 '12 at 08:08