Setting up a Login on a Web Site
-
I am currently working on a website with a friend and we want to support users logging in. Security is not a top a priority. We have HTML and JavaScript code which will extract the User's name and password. We want to use an object of XMLHttpRequest to call the server to verify the user. We would use a post. Does this approach make sense? If there is a better approach, I would like to know what it is. However, we do not want to use jQuery, ASP.Net or a relational database. I am now thinking that this should have been posted to the JavaScript forum. If so, I will post it there. Bob
-
I am currently working on a website with a friend and we want to support users logging in. Security is not a top a priority. We have HTML and JavaScript code which will extract the User's name and password. We want to use an object of XMLHttpRequest to call the server to verify the user. We would use a post. Does this approach make sense? If there is a better approach, I would like to know what it is. However, we do not want to use jQuery, ASP.Net or a relational database. I am now thinking that this should have been posted to the JavaScript forum. If so, I will post it there. Bob
You've told us what technologies you don't want to use on the server, but you've forgotten to tell us what technologies you do want to use. If you're going to call the server to validate the credentials, you'll need some code running on the server, and somewhere to store the usernames and salted-and-hashed passwords. You need to decide what you're going to use for both of those before you can work out how feasible your solution will be. Making an AJAX post will be no less secure than a regular form post. However, I would strongly recommend installing an SSL certificate, and only serving your site over HTTPS. You can probably get a free certificate from StartSSL[^] or Let's Encrypt[^]. NB: Don't store the passwords in plain text, even if security isn't an issue for your site. Lots of people reuse the same credentials on multiple sites, so if your site is hacked, you could be exposing their on-line banking password! Secure Password Authentication Explained Simply[^] Salted Password Hashing - Doing it Right[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
You've told us what technologies you don't want to use on the server, but you've forgotten to tell us what technologies you do want to use. If you're going to call the server to validate the credentials, you'll need some code running on the server, and somewhere to store the usernames and salted-and-hashed passwords. You need to decide what you're going to use for both of those before you can work out how feasible your solution will be. Making an AJAX post will be no less secure than a regular form post. However, I would strongly recommend installing an SSL certificate, and only serving your site over HTTPS. You can probably get a free certificate from StartSSL[^] or Let's Encrypt[^]. NB: Don't store the passwords in plain text, even if security isn't an issue for your site. Lots of people reuse the same credentials on multiple sites, so if your site is hacked, you could be exposing their on-line banking password! Secure Password Authentication Explained Simply[^] Salted Password Hashing - Doing it Right[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Richard, Thanks for the response. We are planning on writing the server code in C++. From what I gather from your post, what you are telling me is that what I suggest will work. Do I have that right? Thanks Bob
Yes, I can't see any problem with it. Lots of sites use AJAX for login. Writing the server-side code in C++ sounds like a pain, though. :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
I am currently working on a website with a friend and we want to support users logging in. Security is not a top a priority. We have HTML and JavaScript code which will extract the User's name and password. We want to use an object of XMLHttpRequest to call the server to verify the user. We would use a post. Does this approach make sense? If there is a better approach, I would like to know what it is. However, we do not want to use jQuery, ASP.Net or a relational database. I am now thinking that this should have been posted to the JavaScript forum. If so, I will post it there. Bob
If you're not terribly concerned with security, then why bother tracking accounts at all? Why not use OAuth2 with external identity providers (Facebook, Twitter, Google, etc). There's even several pre-built libraries[^] for it.
"There are three kinds of lies: lies, damned lies and statistics." - Benjamin Disraeli
