?
Solved

I am using a LAMP stack and YUI.  What is the best way to handle login (AJAX, page redirect from script, etc)?

Posted on 2011-10-25
10
Medium Priority
?
323 Views
Last Modified: 2012-05-12
I am working on my first actual internet web site.  I have done intranet sites in the past.  I have a login page that I am working on.  My web site design is using a LAMP stack and YUI 2.9.  I plan on having the login post to a php script which will either redirect to the login page if there is an error, or set session variables and redirect to the home page if the login is valid.  I have hidden labels to show the error if needed.

I wanted to get some input on how the design of the login page would be best handled.  Both from a design standpoint and from a security standpoint.  I do not want generic links to suggestions on security (I have about a dozen of those already).  I am looking for a design "how to" with some input as to why you handle the task in the way you do.

I already have the email as the login and a hashed value for the password stored in a database table.  The check on the login credentials is handled with a PDO parameterized query (supposed to be SQL injection proof).  I guess the main thing I am debating is AJAX versus other methods.  I am not interested in using a framework as they tend to create a jumble of dozens (or hundreds) of files that leave me with the feeling that I would have no idea where to start if debugging is needed.
0
Comment
Question by:developmentguru
  • 5
  • 3
  • 2
10 Comments
 
LVL 11

Accepted Solution

by:
MacAnthony earned 1600 total points
ID: 37029255
If you are going to go to a different page, I wouldn't be a fan of doing an AJAX request. I would just post the form to the .php file handling the request and forward to the appropriate page from there.

If you do an ajax request to validate the login, the request will have to be returned and interpreted by the client page and then another request would be made to redirect it to the desired page (either success or failure). If you just post the form and redirect on the server to the correct page, you are limiting a round trip request to just once instead of twice.

There isn't anything special about an ajax request other than the results aren't automatically rendered or handled by the web server. It's a great vessel for making incremental changes to a page so you don't have to reload the whole page, but if you are going to reload the whole page anyway, just make a full request to the server.
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 400 total points
ID: 37029434
I agree with @MacAnthony.  Sites that use AJAX for logins usually only have a single page that get rewritten with massive amounts of javascript and PHP pages on the server to return the info to the javascript.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 37029503
@MacAnthony
Thanks for the input.  Barring anyone able to post some PROs for AJAX it seems I was heading in the right direction.

Any advice on showing the login errors?  I started with the idea of having one label per possible error.  Since I asked the question I have figured out how I can set the innerHTML of the label, so I could just set the text of the label to the error response of the login attempt (seems more rational).

As I mentioned, I have the SQL injection attacks covered as near as I can tell (comments welcome).  I also know to change the session ID often (elevation of privilege, before attempting database modification, etc), I know to keep session variables server side and avoid using GET.  Any other security concerns you would care to mention?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 11

Expert Comment

by:MacAnthony
ID: 37031386
If it was a form with a lot of fields, I could see doing that, but do you have more than 2 errors? Username doesn't exist and a username password mismatch (however you want to word it). Depending on it's visibility and likelihood of being tampered with, I prefer being as vague as I can be with login errors to dissuade guessing. I wouldn't want people typing in usernames to find ones that exist like admin, etc. I prefer just having 1 error saying the login failed.
0
 
LVL 21

Assisted Solution

by:developmentguru
developmentguru earned 0 total points
ID: 37033427
I have a "Login Failed" and a separate one I will use to indicate a situation that should be impossible, "Check Login Credentials".  The former would indicate either that the email does not exist, or that the password does not match (vague).  The latter would only occur if more than one record matches the results.  I plan to have the database setup to only allow distinct email as the user name.  The query will check for an exact match based only on the user name (testing the password separately in code).  With this setup it should return either 0 or 1 record.  The latter error message is to make up for the unknown... a SQL injection form of attack that makes the query return more than one record (possibly all records?).  I am using a parameterized, prepared, query so the SQL injection should not be possible.  An old quote goes something like, "it's the punch you never saw coming that gets you".  In this case I am catching ANYTHING that could be outside the 0 or 1 scenario and giving a response that would not mean much to an end user, but tells me a great deal...
0
 
LVL 21

Author Comment

by:developmentguru
ID: 37033449
What mechanism do you use, when redirecting back to the login page, to indicate the failed login?  Do you pass a message?  Do you pass an error code?  Do you use hidden fields?

(All the questions are a poorly disguised attempt to draw you out on a broader discussion of how you handle things)
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 37033879
What server language do you use?  There is an EE article on login systems but I cna't seem to find it right now.  Search for "login system" here on EE will bring up a lot of articles because there are a lot of ways to do it.  This is an attempt to get you to narrow your question to something we can directly help you with.
0
 
LVL 11

Assisted Solution

by:MacAnthony
MacAnthony earned 1600 total points
ID: 37034288
Again it depends on the application, but I typically have had the login page be the form action itself and just handle the errors when redrawn or redirect to the app index if successful.

When I said I don't like 'username not found' type messages, it isn't to avoid sql injection, but to deter people who may be looking to guess account names like an admin account or something.
0
 
LVL 21

Author Comment

by:developmentguru
ID: 37035512
@DaveBaldwin
I am using PHP for the server language (as indicated by the LAMP stack).  I am looking for simple steps of the process for doing a web based login system (not a whole system).  

Currently I have a form that is my login form and it posts to a PHP script.  That script will either redirect to the login form (passing back an error message) or redirect to the page that called it.  One thing I was curious about was how best to pass information back on a form (error message, intended page if login is successful, that sort of thing).  I could use a session variable to store the name of the form that redirected to the login, then the redirect would not require passing an extra property to state which page it would redirect to.  For that matter I suppose I could make a session variable for the login error and make the login form's error label simply output this as text for the message.

I fell like I am am down to some very basic functionality and just wanted to see how "the pro's" handle the passing of information among the pages.
0
 
LVL 21

Author Closing Comment

by:developmentguru
ID: 37123927
I got some good advice that basically told me I was heading the right direction.  I wanted to accept the answers as they did represent the advice I was looking for.  I also marked some of mine as assisting, to point them out to future readers.

I opted for a simpler solution to passing the error back too... I have one bit of text for showing the error, and that is filled in by a server side script.  If there is no error it is left blank.

Thanks for the help.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
A while back, I ran into a situation where I was trying to use the calculated columns feature in SharePoint 2013 to do some simple math using values in two lists. Between certain data types not being accessible, and also with trying to make a one to…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month17 days, 5 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question