1

I’ve got an ajax based script that is designed purely to run a php script to authenticate a user. As there is with user authentication, there could be one of two outcomes: either they get authenticated or they don’t.
To signify success or failure back to the page that called it is extremely easy, you just echo ‘success’; or ‘echo ‘failure’` accordingly and have the JS/jQuery script handle it by the response string. (Or at least I think that’s good practise..)

But apart from essentially returning true or false, if it returned false I would also like to give a message back as to why it failed. Did the user exist? Was the password incorrect? Or did the database access go wrong and need to spit out a technical error code. Since we are responding with true or false already, we can’t send back a message alongside with the false statement otherwise it technically isn’t false as there is more data.

Now I have had these ideas, but I feel like there is a better way to do it:

  • Return an array [true/false, “String to display”] though this seems clunky within the PHP file and also parsing it on the page
  • Return success when we want to return true, and label anything else as a failure and assume it’s a message for failure

But in all honesty I feel like this whole text response method is bad especially for something like user authentication as it could possibly be spoofed easily(?) so what would the recommended way to achieve something like this?

Thanks in advance!

SteppingHat
  • 1,199
  • 4
  • 19
  • 50
  • 3
    You can easily handle it with `JSON` – EhsanT Feb 19 '16 at 03:02
  • 1
    anything can be spoofed at client side. that is why session exist in PHP which is server side. what you send and how you parse it at client side depends purely on your skill set and taste, but I would also suggest JSON, as it is much easier to handle/maintain. Note: I would never tell the user specifically if the user don't exist or password is wrong (giving more options to hack), I would just say just `wrong credentials` – bansi Feb 19 '16 at 03:10
  • If you want to learn more about best practices, check out existing PHP frameworks to see how they do it. For example, Laravel just added a feature to throttle authentication requests: `By default, the user will not be able to login for one minute if they fail to provide the correct credentials after several attempts. The throttling is unique to the user's username / e-mail address and their IP address.` https://laravel.com/docs/5.2/authentication#authentication-throttling – Raphael Rafatpanah Feb 19 '16 at 03:15
  • A great place to start: http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication – Krii Feb 19 '16 at 03:19
  • @bansi In terms of session, that is all handled on PHP with session ID, cookies and a whole bunch of other verification so even if the user spoofed it client side to get past the login window, it would spit them straight back due to a dodgy session. Also I never say either no user or wrong password, but there are scenarios where I would need to display another message apart from bad credentials such as 'account not activated' or 'account has been banned for x amount of time'. These are cases of which I believe would be *important* to not only return a fail but a message alongside with it. – SteppingHat Feb 19 '16 at 05:22

1 Answers1

6

This is purely opinion based but I think your missing two important concepts when handling communication between two systems such as PHP (server) and Javascript (client).

One, evaluating response codes. If the HTTP response code is 200, it indicates OK, 201 indicates a resource was created (possibly a session), 401 indicates the user is unauthorized. Given this, just by the HTTP response, you should be able to tell if the action succeeded or not.

Two, using JSON or a markup language. You can pass a JSON string to include both the status and the message and parse the JSON string in Javascript.

Example in PHP being:

http_response_code(401);
$response = [ 
'success' => false,
'message' => 'Password incorrect'
];
echo json_encode($response);
Devon Bessemer
  • 34,461
  • 9
  • 69
  • 95
  • Excellently worded answer. – Darren Feb 19 '16 at 03:15
  • @Darren Should I make the jQuery pick up on the response code? – SteppingHat Feb 19 '16 at 05:36
  • @SteppingHat, jQuery will automatically interpret a 2XX code as a success and a 4XX as a failure (.done() and .fail() respectively). You can also change the action based on the specific status code: http://api.jquery.com/jquery.ajax/. This goes beyond just JQuery though, HTTP response codes are useful for any integration. – Devon Bessemer Feb 19 '16 at 06:16
  • So would I even need to return response as an array? If jQuery can interpret a success or a failure via the response code, why can't I just echo a message on its own? – SteppingHat Feb 20 '16 at 03:53