Can pure ajax login ever be secure?

[someguy321]

I was reading about a login using ajax that they claim is secure and I can't see the weakness in it versus submitting a form to an https page. There might be one, but can someone point it out?

 

http://ajaxpatterns.org/Direct_Login

 

Basically it works like this:

* 1. User visits website.
* 2. Server handles initial page.
      o 2a. Server generates one-time seed (S) and stores it.
      o 2b. Server outputs page, including login form, and with one-time seed 
               embedded somewhere on the page (e.g. in a Javascript variable). 
* 3. User enters username (U) and password (P).
* 4. Browser handles submission.
      o 4a. Browser hashes password (P) using permanent hash function, to arrive at 
               the attempted hash value (Ha) that should be held in the database.
      o 4b. Browser combines attempted hash (Ha) with one-time seed (S) to create 
               one-time, double-hashed, value (Da).
      o 4c. Browser uploads username (U), double-hashed value (Da), and (for 
               convenience) one-time seed (S). 
* 5. Server authenticates.
      o 5a. Server verifies one-time seed (S) is valid.
      o 5b. Server extracts stored hash for this user (H) and combines it with  
               the seed (S) to get one-time, double-hashed, value (D).
      o 5c. Server compares the double-hashed values (D and Da). If successful,  
               it logs the user in (e.g. creates a new session and outputs a 
               successful response code) and clears the one-time seed (S). If not,
               it either re-generates a new seed, or decrements a usage counter 
               on the existing seed. 

[trq]

I was reading about a login using ajax that they claim is secure and I can't see the weakness in it versus submitting a form to an https page. There might be one, but can someone point it out?

 

That statement makes little sense.

[someguy321]

I was reading about a login using ajax that they claim is secure and I can't see the weakness in it versus submitting a form to an https page. There might be one, but can someone point it out?

 

That statement makes little sense.

 

Can you explain that a little better? I don't see how it doesn't make sense. What I'm asking is:

 

- Is this login method (with all the steps they suggest) truly secure?

 

And I was remarking on how their method is over http, not over https but to me it still seems secure, but perhaps I'm missing something. If so, what am I missing?

[xcandiottix]

I would have to guess that ajax is as secure as a regular form->submit->result page set up. After all you are still sending and receiving posted data. The benefit I could see is that ajax is talking to other pages "behind the scenes" but none the less data is still being passed back and forth between server and client. This would allow an attacker to intercept that data and use it maliciously. I think you could hide more tricks into an ajax solution that would make it harder to hack but it wouldn't be 100% fool proof forever.

 

The method that you described is little more then a "normal" php form submission that's been salted. except it's called ajax. Salting seems to be the agreed upon way to add security to log in information as far as i've read elsewhere. I read that hacking a salted login encrypted with md5 could take something like 300 years to figure out. So.. bottom line ajax has nothing to do with it.. it's just a interface for the user.

[someguy321]

I would have to guess that ajax is as secure as a regular form->submit->result page set up. After all you are still sending and receiving posted data. The benefit I could see is that ajax is talking to other pages "behind the scenes" but none the less data is still being passed back and forth between server and client. This would allow an attacker to intercept that data and use it maliciously. I think you could hide more tricks into an ajax solution that would make it harder to hack but it wouldn't be 100% fool proof forever.

 

The method that you described is little more then a "normal" php form submission that's been salted. except it's called ajax. Salting seems to be the agreed upon way to add security to log in information as far as i've read elsewhere. I read that hacking a salted login encrypted with md5 could take something like 300 years to figure out. So.. bottom line ajax has nothing to do with it.. it's just a interface for the user.

 

Thank you very much for the great thoughts! That helps clarify things.

 

I guess what  I meant was, can ajax in http (and not https) ever be as secure as over https. I'm leaning towards "no," but I'm open to hearing ways it could be done. My fear is of the man in the middle attack.

[Zane]

You know, unless your site is comparable to a place like facebook/twitter/myspace/etcetera (some other website that specializes in marketing personal information) then there's really no point in using HTTPS for you login.  IMO, HTTPS is best used for credit card numbers, social security numbers, government PIN numbers, and other really sensitive data.

 

Just like xcandiottix already said, AJAX does nothing different as far as data transfer (besides doing it behind the scenes.)  Implementing HTTPS would be overkill unless your users' information is really THAT sensitive.  I mean, really sensitive... HTTPS is a big deal.  Sites like eBay, amazon, Paypal and so on couldn't exist without it.  So the real question is... Are you considering your site to be this important?  If so, then yes HTTPS would be a wise choice.