Ajax到PHP登录脚本安全

I'm looking at how to send a username and password via Ajax to PHP securely and how to also store the values in the MySQL database properly too.

我正在研究如何通过Ajax安全地向PHP发送用户名和密码，以及如何正确地将值存储在MySQL数据库中。

In the past I have used the following type of example:

在过去，我使用了以下类型的示例：

var formData = {username:$('#username').val(), password:$('#password').val()};
//SEND
$.ajax({
    type: "POST",
    url: "/signin.php",
    data: formData,
    success: function(data) {
        //success
    }
});

This is to send the values via JavaScript to then get a return OK or FAIL from the PHP. But is this secure enough? I was hoping someone would be kind enough to point me in the right and secure direction of sending sensitive data from JavaScript to PHP.

这是通过JavaScript发送值然后从PHP返回OK或FAIL。但这足够安全吗？我希望有人能够指出我从JavaScript到PHP发送敏感数据的正确和安全的方向。

SQLfiddle

1 个解决方案

#1

To be secure you need to ensure at minimum three things:

为了安全起见，您至少需要确保三件事：

The input box, type=password The user control in which the user enters the password is a password input type, or custom control designed for this purpose which has been sufficiently validated for not caching, etc.
输入框，type = password用户输入密码的用户控件是密码输入类型，或为此目的设计的自定义控件，已经过充分验证，不进行缓存等。
The connection, https In its current state, your question does not mention whether or not the connection is over https. It is more secure if the login box itself is displayed through a secure connection. In addition the ajax needs to post across the secure connection.
连接，https在当前状态下，您的问题没有提到连接是否通过https。如果通过安全连接显示登录框本身，则更安全。此外，ajax需要在安全连接上发布。
Hash passwords properly Use the native PHP password hashing API and hash passwords and store the hash in your database. Verify input passwords by using the password_verify function. password_hash() password_verify()
正确散列密码使用本机PHP密码散列API和散列密码，并将散列存储在数据库中。使用password_verify函数验证输入密码。 password_hash（）password_verify（）

To do it "right" you should also consider:

要做到“正确”，你还应该考虑：

Control the rate and number of failed login requests.
控制失败的登录请求的速率和数量。
Record login statistics so that you can identify strange behavior and investigate it
记录登录统计信息，以便您可以识别奇怪的行为并进行调查
Use browser side AND server side password strength testing to validate users' new passwords as being strong enough.
使用浏览器端和服务器端密码强度测试来验证用户的新密码是否足够强大。
Use captcha to prevent pedestrian automation
使用验证码可防止行人自动化
Create a database user especially for authentication. Limit table/schema access accordingly. Use a separate subdomain for authentication. Use fastcgi-php or suphp to set the user for auth access to the database. Allow normal PHP database user to only read a semaphore or other login state credential from this "sandbox."

创建数据库用户，尤其是用于身份验相应地限制表/模式访问。使用单独的子域进行身份验证。使用fastcgi-php或suphp设置用户对数据库的auth访问权限。允许普通的PHP数据库用户仅从此“沙箱”中读取信号量或其他登录状态凭据。
When users are entering their passwords, use site verification, ssl, and a verification "phrase" or picture they set when they created their account so they can be sure they are inputing to your server.

当用户输入密码时，请使用网站验证，ssl以及他们在创建帐户时设置的验证“短语”或图片，以便他们确定他们正在输入您的服务器。

Additionally, most security concerns are going to be involved in what you do after the login. How do you plan to maintain the user's session? Greater security usually requires compromising convenience to the user. You need to consider carefully what type of abilities and information the user will have access to once authenticated. Your security plan should take that into account.

此外，大多数安全问题都将涉及您在登录后执行的操作。您打算如何维护用户的会话？更高的安全性通常需要损害用户的便利性。您需要仔细考虑用户在经过身份验证后可以访问哪些类型的功能和信息。您的安全计划应考虑到这一点。

An alternative you might consider is using OAuth2 providers such as Google and Facebook.

您可以考虑使用OAuth2提供商，例如Google和Facebook。

#1