Any security issue with sending login data with jQuery?

Question

A short answer - is there any security issues in sending e-mail + password through ajax to another page? :)

My thought is, that the information could maybe be grabbed in the sending, which may be a flaw compared to doing it "the conventional way" with just a form-action with a "link" to the login-action page.

Thanks in advance..

score 4 · Accepted Answer · edited May 23 '17 at 12:29

4

Its the same if you send your password with a Form over POST or send an Ajax request over POST. You should use SSL then the requests is enrypted and save.

But you should use a POST request. Don't send your password over GET its not the best way.

jQuery/AJAX login form submit on enter

edited May 23 '17 at 12:29

Community

1
1

answered Sep 25 '13 at 12:24

René Höhle

26,716
22
73
82

So what I can read from your answer is, that sending a form by an AJAX form request is just as vulnerable as sending it with a normal POST? :) – denlau Sep 25 '13 at 12:31
Can you expand on why GET is not the best way? As it stands it just seems like a random unjustified statement – musefan Sep 25 '13 at 12:33
POST vs GET http://stackoverflow.com/questions/198462/is-either-get-or-post-more-secure-than-the-other With the caveat that for a GET the URL shown in the location bar can expose data that would be hidden in a POST. – mahatmanich Sep 25 '13 at 12:46

mahatmanich · Answer 2 · 2013-09-25T12:47:50.583

2

You can transfer the password into a hash on clientside before it is sent anywhere and then do hash comparison serverside.

But you have the same problem with a Post or Get request ... itis always the same if you don't use SSL, however in the light of the NSA ordeal, even that seems less secure.

EDIT It could makes sense if you convert the password hash clientside and store it in a hidden field and send it off for comparison instead of sending the password. This however poses the threat that hashes could be collected directly client-side Further it would be bad cause you would also need to expose your seeding (which you should be using anyhow) etc. it is a flawed approach.

Use SSL and be done with it.

You could however bloat your request with http://www.jcryption.org which is based on jQuery

edited Sep 25 '13 at 12:47

answered Sep 25 '13 at 12:26

mahatmanich

10,791
5
63
82

1

This stops the password itself being seen, But you can still login with the hash. – exussum Sep 25 '13 at 12:27
How is that possible? Unless your code is really badly written, it doesn't make sense – Paco Sep 25 '13 at 12:31
You cannot login with the HASH! – mahatmanich Sep 25 '13 at 12:49

score 2 · Answer 3 · answered Sep 25 '13 at 12:27

2

The "conventional way" that you refer to is as bad as POSTing an AJAX request. Sending via HTTPS instead of HTTP gives you better security (but sceptics would quickly point out that some encryption schemes used via HTTPS are trival to decode)

answered Sep 25 '13 at 12:27

Rowland Shaw

37,700
14
97
166

score 1 · Answer 4 · answered Sep 25 '13 at 12:39

1

No.
You need to set up SSL on your server and use an HTTPS connection in order to be saf*er*.

answered Sep 25 '13 at 12:39

Vlad

795
1
12
35

Any security issue with sending login data with jQuery?

4 Answers4